mrge is built by developers, for developers. We understand that your source code is your most valuable asset, so we designed our systems with security and privacy as a first-principle—not an afterthought.

Our guiding principles

  • Short-lived processing – We never permanently store your repository’s source code. Your code is fetched into an isolated, short-lived sandbox only while an AI review is running and is irreversibly deleted as soon as the job completes.
  • Encryption everywhere – All data is encrypted in transit (TLS 1.2+) and at rest (AES-256), including database records and object storage.
  • Least-privilege access – The mrge GitHub App requests the minimum scope required to perform reviews. No additional write-or-admin permissions are granted unless they are strictly necessary (see below).
  • Transparent operations – We publish this page so that every customer—current or prospective—can understand exactly how we treat their data. If you have questions, email us any time at contact@mrge.io. Our data handling practices are further detailed in our Privacy Policy and use of the service is governed by our Terms of Service.

SOC 2 status

mrge is committed to achieving SOC 2 Type II compliance to provide the highest level of security and trust for our customers. We are actively working towards this certification and have implemented many of the required controls internally (such as change management, access management, and vulnerability management). We will update this page and proactively notify customers as we progress through the formal audit process.

Permissions requested by the mrge GitHub App

Granting the following scopes allows mrge to read pull-requests, leave review comments, and update PR status checks.

ScopeAccessWhy we need it
Pull requestsRead & writePost AI-generated review comments and resolve threads when feedback is addressed
Checks / StatusesRead & writeSurface pass/fail status checks for AI review completion
ContentsRead-onlyFetch the diff and surrounding context for each file under review
MetadataRead-onlyDisplay repository information inside the mrge UI
User emailRead-onlySend transactional notifications (e.g. failed review run)

Note: You can install the mrge App on a single repository or an entire organisation. Access is scoped to the repositories you select during installation, and can be modified at any time from GitHub’s “Installed Apps” settings page.

How AI code review works

  1. Event trigger – Whenever a pull request is opened or updated, GitHub sends mrge a webhook describing the event.
  2. Ephemeral sandbox – A new isolated container is launched. The sandbox has no network egress.
  3. Analysis – The pull-request diff and only the necessary context needed for reviewing the PR are processed by AI models.
  4. Comment publication – The generated review comments are posted back to the PR via the GitHub API.
  5. Secure teardown – The sandbox (filesystem, memory, logs) is destroyed immediately after the review finishes.

At no point is your repository cloned to a long-lived server or stored in a database. If the review is cancelled or the PR is closed, the sandbox is destroyed right away.

AI subprocessors

mrge uses best-in-class large-language models hosted by vetted providers (currently OpenAI and Anthropic). Our agreements with these subprocessors explicitly prohibit using your data for model training. Only the minimal code snippets required for the requested analysis are transmitted, and all requests are sent over encrypted channels.

If your organisation prefers to completely block AI features, please contact us and we can disable them for your workspace.

Logging & metadata

We record operational metadata only—for example, the duration of a review run or the size of the diff. Neither full source code nor pull-request diffs are written to our logs.

Reporting a security issue

If you believe you have found a vulnerability in mrge, please email our security team at contact@mrge.io with the subject line “Security Vulnerability”. We investigate all reports promptly and appreciate the efforts of the security community.