Security - MergeBetter

Security First Approach

MergeBetter is built with security as a core principle. We implement multiple layers of protection to ensure your code and data remain safe.

🔒

Minimal Permissions

We request only the minimum GitHub permissions necessary to detect conflicts. We do not request write access to your code.

🛡️

Zero Code Storage

We analyze diffs in memory only. Your source code is never stored on our servers.

🔐

End-to-End Encryption

All data is encrypted in transit and at rest using industry-standard encryption protocols.

Data Protection

What We Access

Repository metadata (names, URLs)
Pull request information
Diff data for conflict analysis
Organization member list (for billing)

What We Don't Access

Source code content
Sensitive files or secrets
Private repository write access
User personal information

Infrastructure Security

AWS Security

• Hosted on Amazon Web Services (AWS)
• VPC isolation with private subnets
• IAM roles with least privilege access
• Automated security patches
• DDoS protection via AWS Shield
• Underlying AWS infrastructure is SOC 2 Type II compliant

Application Security

• Container isolation via ECS
• Secrets management via AWS Secrets Manager
• TLS 1.3 encryption for all connections
• Regular internal security reviews
• Automated vulnerability scanning
• GitHub webhook signature verification

GitHub App Permissions

Required Permissions & Justification

Contents (Read Only)

Required to analyze file changes and detect potential conflicts. We only read diff data, never full file content.

Pull Requests (Read & Write)

Read access to analyze PRs for conflicts. Write access to post conflict warning comments only.

Issues (Write Only)

Optional permission to post conflict notifications as issues if enabled in settings.

Metadata (Read Only)

Basic repository information required for GitHub App functionality.

Compliance & Certifications

🛡️

SOC 2 Type II

AWS infrastructure compliance

🔒

GDPR Ready

EU data protection compliance

🏛️

CCPA Compliant

California privacy rights

🌍

Global Standards

International security practices

Security Practices

Monitoring & Detection

• 24/7 security monitoring
• Automated threat detection
• Real-time alerting for anomalies
• Comprehensive audit logging
• Regular penetration testing

Incident Response

• Documented incident response plan
• Rapid containment procedures
• Customer notification protocols
• Post-incident review and improvements
• Regular security drills

Development Security

• Secure development lifecycle
• Code review requirements
• Automated security testing
• Dependency vulnerability scanning
• Regular security training

Access Controls

• Multi-factor authentication
• Role-based access control
• Principle of least privilege
• Regular access reviews
• Secure credential management

Security Questions?

Our security team is here to answer any questions about our security practices and compliance.

Contact Security Team General Support