Trust

Security at Mero

How we protect the data you trust us with.

Effective: April 24, 2026 Version 1.0

We know you're trusting Mero with data from your product tools - Notion pages, Linear issues, Slack messages, and more. Here's exactly how we protect it.

Infrastructure

Mero is built on SOC 2 Type II certified infrastructure across the board:

Vercel (Hosting)

  • SOC 2 Type II certified
  • Global edge network with DDoS protection
  • All traffic served over TLS 1.2+

Supabase (Database)

  • SOC 2 Type II certified
  • AES-256 encryption at rest
  • Automated daily backups with point-in-time recovery
  • Isolated database per customer organization

Clerk (Authentication)

  • SOC 2 Type II certified
  • Industry-standard OAuth 2.0 and session management
  • MFA (multi-factor authentication) available for all accounts

Anthropic (AI)

  • SOC 2 Type II certified
  • Does NOT use API data to train models
  • Data processed transiently and not retained after inference

Data protection

Encryption in transit

All data between your browser and Mero - and between Mero and its infrastructure - is encrypted using TLS 1.2 or higher.

Encryption at rest

All data stored in Mero's database is encrypted at rest using AES-256 encryption.

Data isolation

Each organization's data is logically isolated. Your data is never mixed with or accessible to other customers.

Access controls

  • Production database access is restricted to authorized personnel only
  • All internal production access requires multi-factor authentication
  • Access privileges are reviewed regularly and revoked when no longer needed
  • We use the principle of least privilege: team members only access what they need for their role

AI and your data

When you generate insights, your integration data is sent to Anthropic's Claude API for analysis. Key points:

  • Anthropic does not train models on API data - this is contractually guaranteed in their API terms
  • Data is processed transiently and not stored by Anthropic beyond the duration of the API request
  • Raw integration content is not stored by Mero after insight generation is complete - only the analysis output is retained

Incident response

In the event of a security incident affecting customer data:

  • We will notify affected customers within 72 hours
  • We will provide details of what data was involved and what steps we've taken
  • For customers with an active DPA, notifications will follow the process set out in that agreement

Responsible disclosure

Found a security vulnerability? Please report it to:

security@withmero.com

We commit to:

  • Acknowledging your report within 48 hours
  • Keeping you updated as we investigate
  • Not pursuing legal action against good-faith researchers

Please do not publicly disclose vulnerabilities until we've had a reasonable time to address them.

Questions

Security questions: security@withmero.com
Privacy questions: hello@withmero.com
DPA requests: hello@withmero.com