Skip to main content

HIPAA Compliance Statement

Last updated: May 1, 2026

Important Notice Regarding Protected Health Information (PHI)

MergeProof is a code security scanning service. This service is not a HIPAA Business Associate and does not provide HIPAA-compliant data handling.

Do not submit repositories containing Protected Health Information (PHI) as defined under HIPAA, or any other sensitive personal health data, to MergeProof's scanning service.

By using MergeProof, you confirm that the repositories you submit do not contain PHI and that your use complies with all applicable laws and regulations governing your data. See our full Terms of Service for details.

Service Scope

At MergeProof, we focus on Independent Verification & Validation (IV&V) for software correctness and security. While we implement rigorous technical safeguards to protect the intellectual property and code integrity of our customers, our platform is not architected to meet the specific regulatory requirements for processing PHI at this time.

Technical & Organizational Safeguards

Despite not being a HIPAA Business Associate, we maintain a high security baseline:

  • Encryption: All data is encrypted at rest and in transit (AES-256 and TLS 1.2+).
  • Isolated Sandboxing: Repositories are processed in ephemeral, isolated environments.
  • Access Control: Strict role-based access controls (RBAC) ensure limited data exposure.
  • Audit Logging: Comprehensive logging of system access and data processing is maintained.

Contact Compliance

For questions regarding our compliance roadmap or data handling practices, please email our team at compliance@mergeproof.org.

← Back to Home