Security & privacy

• Cloud provider: Google Cloud Platform (GCP)
• Region: us-east4 (United States)
• Database: GCP Cloud SQL for PostgreSQL (managed)
• Architecture: Single-region deployment with daily backups stored multi-region

For enterprise customers, we can accommodate specific data residency requirements (including EU-only data storage).

• In transit: All data is encrypted in transit using industry-standard TLS.
• At rest: All data is encrypted at rest using AES-256.
• Key management: Encryption keys are managed using Google Cloud KMS.
• Field-level encryption: Sensitive fields including passwords are encrypted at the field level.
• Password storage: Passwords are hashed using PBKDF2 with SHA-256 and a unique salt per user.

We recommend customers use Google Sign-On where possible, which removes the need for us to store passwords at all.

How customers' users log in

• Login methods: Email/password or Google OAuth
• Password requirements: Minimum 9 characters, cannot be similar to user data (email, name), cannot be a commonly used password, cannot be entirely numeric
• Multi-factor authentication (MFA): Available via Google OAuth (configured through your Google account). Native MFA support (TOTP) is on our roadmap.
• Single Sign-On (SSO): Currently supported via Google. SAML 2.0 and OIDC support are on our roadmap.
• SCIM provisioning: Not currently supported; on our roadmap.

How Merritt employees access customer data

• Production access is limited to a minimal set of individuals (currently the CTO; we may add an admin role as we grow). Least-privilege principles guide all access decisions.
• Production data is never copied to staging or development environments.
• Internal access controls will be formalized further (including approval workflows and audit logging) as part of our SOC 2 preparation.

We're an AI-native product, and we take a thoughtful approach to how AI interacts with customer data.

• LLM provider: We use OpenAI as our primary LLM provider. Data sharing settings with OpenAI are disabled, meaning OpenAI does not use customer data to train their models.
• What gets sent to LLMs: Customer content (feedback, goals, role expectations, feedback drafts) is sent to our LLM provider only when needed to power specific features (review drafting, feedback coaching).
• Our own model improvement: We may use de-identified customer content to improve our AI features. Customers can opt out of having their organization's data used for model improvement by contacting us.
• Humans in the loop: AI assists managers; it does not replace them. Managers remain responsible for decisions about their teams.

We use the following third-party services. Each has access only to the data needed to perform its function and is contractually bound to protect that data.

We'll update this list as our service providers change.

• Backups: Daily, encrypted, stored multi-region
• Retention: 30 days
• Recovery Point Objective (RPO): Up to 24 hours
• Recovery Time Objective (RTO): Within 1 business day
• Backup testing: Restoration has been tested

Automated failover is on our enterprise roadmap.

• On-call: Our CTO is the current incident commander.
• Breach notification: In the event of a confirmed security incident affecting customer data, we will notify affected customers within 72 hours of confirmation.
• Post-incident reviews: We conduct post-incident reviews for any production issue.
• Track record: We have had no security incidents to date.

A formal written incident response plan is on our SOC 2 preparation roadmap.

• Dependency monitoring: GitHub's built-in security alerts.
• Patch SLA: Critical vulnerabilities are patched within 24 hours, including outside of business hours.
• Penetration testing: Planned as part of SOC 2 preparation.
• Formal SAST/DAST tooling: Planned as part of SOC 2 preparation.

We're an early-stage company being transparent about where we are and where we're going.

• SOC 2 Type I: Preparation begins 2027, target completion late 2028
• SOC 2 Type II: Target completion 2029
• GDPR: We can accommodate data subject access and deletion requests. A Data Processing Agreement (DPA) is available upon request.
• HIPAA: We do not process Protected Health Information (PHI). The Services are not intended for HIPAA-regulated use cases.

• Deletion requests: Customers can request hard deletion of their data at any time. Data is fully deleted (including from backups) within 60 days.
• Standard deletes: In-product deletions are soft deletes by default; hard deletes are available on request.
• Data export: Customers can export their data at any time by contacting support. Data is provided in CSV or XLSX format.
• Subscription end: Customer content is retained for the duration of the subscription and a reasonable period thereafter, unless deletion is requested earlier.

We're being honest about what we don't have yet. Most of this is planned for 2027–2028 as we move toward enterprise readiness:

• Native MFA (TOTP)
• SAML / OIDC SSO
• SCIM provisioning
• Web Application Firewall (WAF)
• DDoS protection
• API rate limiting
• IP allowlisting
• Automated failover
• SOC 2 certification

Have a question or a specific requirement we don't address here? Email amber@merritt.app — we'd rather have the conversation than dodge it.

Merritt Performance, Inc.
131 Continental Dr, Suite 305
Newark, DE 19713

amber@merritt.app