Trust

Honest controls. No compliance theater.

We separate what we ship today, what we’re working on, and what’s still on the roadmap — so you can decide based on what exists, not what’s promised. Everything here is evidence-backed.

Shipped

Integration tokens and provider credentials are encrypted before storage.
Passwords are bcrypt-hashed and sessions include token-version invalidation.
Google and GitHub sign-in use one-time OAuth state and PKCE-backed flows.
Provider webhooks verify signatures or shared secrets before processing.
Durable rate limits protect auth, OAuth, invite, credential, and AI session-start paths.
Security audit events exist for launch-critical auth and integration actions.

In progress

Workspace export and deletion controls for beta.
Better Stack status page and public incident workflow.
Consent-gated nonessential analytics and RUM.
Formal Customer Portal billing lifecycle proof.

Roadmap

SOC 2 readiness program.
SAML, SCIM, BYOK, enterprise residency, and public bounty coverage.
Customer-facing audit-log UI.
Native MFA beyond upstream Google/GitHub account protections.

AI data handling

Merak does not train models on customer data. Hosted AI calls use API providers such as OpenAI and Anthropic under their API processing terms.

Vulnerability reports

Send good-faith reports to security@getmerak.com. Include reproduction steps and affected surfaces; do not include secrets or unrelated customer data.

Privacy and status

Privacy requests route to privacy@getmerak.com. Public uptime and incident history live at status.getmerak.com.