How we handle your data.
Short version: we built Merkava on top of customer data we wouldn't want anyone leaking — our own. Tenant scoping is enforced at the database layer, integration credentials encrypt at rest, and every action is auditable per Why/Tool/Did/Next. Below is the longer version, plus our compliance roadmap.
What we collect
- Account data: email, name, password hash (scrypt — never reversible), tenant + employee records.
- Connected-system data: only what's needed to do the work. A Drive that ships PRs needs your repo contents; a Drive that runs ads needs ad-account access. Each integration's scope is the minimum required.
- Action logs: every action Merkava takes on your behalf is recorded. Your own logs stay private to your tenant. Merkava-runs-Merkava actions land in a public log so you can verify how the product runs itself.
- Operational telemetry: request paths, response codes, latencies. No request bodies or response bodies in logs.
What we don't do
- Sell your data. Ever. Not to advertisers, not to data brokers.
- Train external models on your data. If you BYOK an LLM provider, traffic goes directly to that provider; we don't intercept.
- Read your private repos, emails, or CRM rows for anything other than the action a Drive is currently performing.
- Share data across tenants. Tenant scoping is enforced at the database layer + audited continuously.
Technical controls — today
| Control | Status |
|---|---|
| Password hashing (scrypt, salted) | ✓ Live |
| TLS 1.2+ in transit, no exceptions | ✓ Live |
| HSTS, X-Frame: DENY, CSP, X-Content-Type: nosniff | ✓ Live |
| Tenant scoping enforced at DB query layer | ✓ Live |
| Per-action audit log (24h Undo window) | ✓ Live |
| Brute-force rate-limiting on /login + /signup | ✓ Live |
| Trust ladder gating destructive actions | ✓ Live |
| Integration credentials encrypted at rest (AES-GCM) | → Q2 2026 |
| SSO via SAML / OIDC | → Custom plans, Q3 2026 |
| SOC 2 Type II audit | → Kickoff Q3 2026 |
| EU data residency | → Roadmap |
Backups + retention
Production database runs on Railway-managed Postgres with volume snapshots retained for 30 days. Restore-from-snapshot is exercised in non-prod periodically to verify the path actually works. On account deletion, tenant data is purged from production within 30 days; residual snapshots roll off in the normal retention window.
GDPR / CCPA
Right-to-access, right-to-delete, and data-portability requests go to [email protected] from the account email on file. We respond within 30 days. Tenant data is isolated, so a deletion request scopes cleanly to your tenant.
Subprocessors
The third parties we share data with to run Merkava:
- Railway — compute + managed Postgres, US-East
- Cloudflare — CDN, DNS, edge cache, WAF
- Anthropic / OpenAI / Perplexity / Voyage AI — LLM + embedding inference. Bypassed when you BYOK; in BYOK mode traffic flows directly from Merkava to your provider account.
- Stripe — billing, when wired
- Resend — transactional email, when wired
We notify you of subprocessor changes 30 days in advance via Merkava + email.
Breach notification
If we suffer a personal-data breach affecting your tenant, you'll hear within 72 hours of confirmation. Notification will include scope, root cause, mitigation, and remediation timeline.
Reporting a vulnerability
Found something? Email [email protected]. We acknowledge within 24 hours, triage within 72, and credit you in our security notes if you want public attribution. PGP key available on request. Bug bounty formalizes after SOC 2 audit kickoff.
Need our compliance materials?
For enterprise procurement: SOC 2 status letter, architecture diagram, current control matrix, and BAA template are available on request. Email [email protected] from a corporate domain — we respond same business day.
SSO, BAA, custom data residency, dedicated support. Email [email protected] or hire your team and we'll reach out.
Run auditSecurity FAQ.
Where is my data stored?
Railway US-East. Tenant-isolated at the database query layer (every Drive scopes by tenant_id). EU residency on the post-launch roadmap; multi-region for tenants on custom Enterprise plans (EU-West first).
Is data encrypted at rest and in transit?
In transit: TLS 1.2+ no exceptions, HSTS, X-Frame DENY, CSP headers. Integration credentials encrypted at rest with AES-GCM rolling out Q2 2026. Passwords hashed with scrypt (salted, never reversible). BYOK API keys encrypted at rest, never logged, never exposed in UI after setup.
Can I get a BAA for HIPAA compliance?
Yes — BAAs are available on custom Enterprise plans. The Redline Drive enforces compliance at the integration-connect gate (no PHI flows to a vendor without a signed BAA on file). Email [email protected] to scope a healthcare or regulated-industry deployment.
SOC 2 status?
SOC 2 Type II audit kickoff is Q3 2026. Controls are being implemented in parallel with launch. Customers needing the SOC 2 status letter pre-completion can email [email protected] — we share the in-flight controls + auditor identity under NDA.
How do you handle a security breach?
Vulnerability disclosure to [email protected]; PGP key available on request. Acknowledged within 1 business day; resolution timeline depends on severity (critical: 7 days; high: 30; medium: 90). For confirmed breaches affecting tenant data, customers are notified within 72 hours per GDPR / state-law requirements with details of impact + remediation.
Who are your subprocessors?
Railway (hosting), Cloudflare (CDN/WAF), Stripe (billing), Resend (transactional email), Anthropic / OpenAI / Perplexity (LLM inference, BYOK or managed Forge), Voyage AI (embeddings). All under signed DPAs. Full subprocessor list and DPA templates available on request to [email protected].
What happens to my data if I cancel?
Access continues to the end of your current paid period. Then a 90-day grace window for re-activation. After grace, scheduled for deletion within 30 days unless you request earlier deletion. GDPR / CCPA: deletion request within 30 days, backups purge within an additional 30 days. Email [email protected] to expedite.