MergeBase – Plugins/Apps – Data Security and Privacy Policy


In addition to our core application security products, MergeBase also publishes and maintains marketplace apps, plugins, and add-ons (referred to generally as “plugins” in this document). These plugins are made available in several popular development and security marketplaces (e.g., Atlassian, Azure, Github, etc).

Our plugins comply with specific Data Security and Privacy Policy requirements which are detailed below.

Data Security

MergeBase plugins have two modes of operation: basic, and enhanced. In the basic mode the plugin is not permitted to invoke any network activity, whereas in enhanced mode, when configured to do so by a plugin administrator, the plugin can be configured to download fresh global vulnerability data; the plugin can also be configured to send vulnerability scans to a customer-controlled MergeBase cloud server running on MergeBase cloud infrastructure. By default MergeBase plugins are always initially installed in basic mode, and plugin administrators at the customer’s organization must consciously enable the enhanced mode.

Basic Mode
MergeBase plugins never store any data outside of your company’s assets, and they only transmit data between your assets (e.g., your corporate on-prem Bitbucket server; your Github cloud subscription, etc) and your users’ computers.
The staff of MergeBase Software Inc. have no way to see any of your data, and no way to communicate with any MergeBase plugin installs. MergeBase plugins never “phone home”.
Enhanced Mode
When switched to “Enhanced” mode (by staff at the customer’s organization), MergeBase plugins can be configured to download fresh global vulnerability data. They can also be configured to upload vulnerability scans to customer-assigned MergeBase cloud servers. Vulnerability scans might upload build files (e.g., pom.xml, *.csproj, package-lock.json, etc), as well as 64-bit component hashes that MergeBase uses to calculate vulnerabilities. No source code is uploaded EXCEPT for build files – for example we would never upload *.java or *.cs files to the customer-assigned MergeBase cloud server. The customer-assigned cloud servers include their own isolated databases and their own isolated logging and application server deployments. At MergeBase we do not combine customer data on our cloud servers and we always keep each customer’s data isolated from all other customers (both on disk and in memory).

Privacy Policy

In addition to MergeBase’s corporate Privacy Policy, MergeBase plugins also comply with the following additional policy:

Unless you have notified us otherwise (see condition #2, below), you consent to receiving marketing emails from MergeBase Software Inc. Note: we will only use email addresses associated with the administrator accounts that installed the plugin.

At any time you are free to withdraw your consent to receive marketing emails from us. You can withdraw your consent by emailing us at, or by clicking on the “unsubscribe” link on the bottom of any of our marketing emails.


Download your copy now!

[contact-form-7 id="271" title="White Paper Download"]

Discover More from MergeBase

Core Product

BuildGreen is a powerful solution for identifying the real risk of open source at build time or in existing applications

Learn how BuildGreen can protects your Enterprise

Add RunTime Protection

RunGreen detects and defends against known-vulnerabilities at runtime.

Learn why Runtime Protection Matters

Optional Developer Add-on

CodeGreen is an early-warning defence for your in-house development and integrates directly into code repositories

Quick Start - For Free