Security at Merit
Protecting users and organizations is our first priority. We want you to have a clear idea of the steps that we take, the tools that we use, and how you can help. Our individual, organization, and business data is safeguarded by industry-best, market-leading security solutions in a layered security approach.
This page was last modified in June 2021 and last reviewed in December 2021.
All application communication is protected by enterprise-grade encryption. We utilize the latest recommended secure cipher suites to encrypt all traffic in transit. This includes TLS 1.2 protocols, AES256 encryption, and SHA2 signatures. Merit engineers monitor the changing cryptographic landscape and upgrade our cipher suite choices as best practices evolve. At rest, all types of data are encrypted using FIPS 140-2 compliant encryption standards.
Secure Data Centers
Our production systems and data reside in top-tier third-party data centers that maintain state-of-the-art physical protection and monitoring. Our data centers hold multiple industry-recognized certifications, including FedRAMP, ISO, SOC, and PCI. Merit’s hosting provider is also compliant with various regulations, privacy standards, and frameworks, including HIPAA, HITECH, GLBA, the EU Data Protection Directive, EU-US Privacy Shield, and FISMA.
A proactive approach to security means that our engineers stay ahead of emerging threats. That’s why we actively scan our network, our endpoints, and our source code for new security updates and modifications needed to prevent attacks.
Culture of Continuous Improvement
Staying secure is a continuous and comprehensive process. Maintaining a culture that values security and continuous improvement enables us to prevent vulnerabilities. To those ends, we train our team members throughout the year on staying vigilant against the latest attack trends and then test our staff’s awareness through realistic attack simulations—and then block any attacks as they happen.
Join the Effort
We are always looking to improve and you are welcome to help us do so. If you notice anything suspicious such as a vulnerability or what may be an attack in progress (e.g., phishing, account compromise), please contact our security team at firstname.lastname@example.org.
If you would like to ensure end-to-end privacy, please encrypt your emails using our GPG key.
View our System Description here.