MergeBase Plugins/Apps – Data Security and Privacy Policy


Please read this data security and privacy policy carefully before using MergeBase Plugins.

In addition to our core application security products, MergeBase also publishes and maintains marketplace apps, plugins, and add-ons (referred to generally as “plugins” in this document). These plugins are available in several popular development and security marketplaces (e.g., Atlassian, Azure, Github). 

Our plugins comply with specific Data Security and Privacy Policy requirements which are detailed below.

Data Security

MergeBase plugins have two modes of operation: basic, and enhanced. In the basic mode, the plugin is not permitted to invoke any network activity whereas in enhanced mode, when configured to do so by a plugin administrator, the plugin can be configured to download fresh global vulnerability data. It can also be configured to send vulnerability scans to a customer-controlled MergeBase cloud server running on MergeBase cloud infrastructure.

By default, MergeBase plugins are always initially installed in basic mode, and plugin administrators at the customer’s organization must consciously enable the enhanced mode.

Basic Mode

MergeBase plugins never store any data outside your company’s assets. They only transmit data between your assets (e.g., your corporate on-prem Bitbucket server; your Github cloud subscription) and your users’ computers.
The staff of MergeBase Software Inc. have no way to see any of your data, and no way to communicate with any MergeBase plugin installs. MergeBase plugins never “phone home”.

Enhanced Mode

When switched to “Enhanced” mode (by staff at the customer’s organization), MergeBase plugins can be configured to download fresh global vulnerability data. They can also be configured to upload vulnerability scans to customer-assigned MergeBase cloud servers.

Vulnerability scans might upload build files (e.g., pom.xml, *.csproj, package-lock.json, etc.) and 64-bit component hashes that MergeBase uses to calculate vulnerabilities. No source code is uploaded EXCEPT for build files – for example, we would never upload *.java or *.cs files to the customer-assigned MergeBase cloud server.

The customer-assigned cloud servers include their own isolated databases and their own isolated logging and application server deployments. At MergeBase we do not combine customer data on our cloud servers and we always keep each customer’s data isolated from all other customers (both on disk and in memory).

Privacy Policy

In addition to MergeBase’s corporate Privacy Policy, MergeBase plugins also comply with the following additional policy:

Unless you have notified us otherwise (see condition #2, below), you consent to receive marketing emails from MergeBase Software Inc. Note: we will only use email addresses associated with the administrator accounts that installed the plugin.

You are free to withdraw your consent to receive marketing emails from us at any time. You can withdraw your consent by emailing us at or clicking on the “unsubscribe” link at the bottom of any of our marketing emails.


Download your copy now!

[contact-form-7 id="271" title="White Paper Download"]

Discover More from MergeBase

Open Source Protection

Stay on top of the real risk of open source at any time.

Avoid false positives and get sophisticated upgrade guidance based on risk, compatibility, and popularity.

More on Continuous Protection

Add Dynamic Application Surveillance and Hardening

Detect and defend against known-vulnerabilities at runtime. The only SCA to do so.

The quickest way to respond to an imminent threat like log4j with CVE-2021-44228.

More on Runtime

Shift Left Now

MergeBase directly integrates with Github and Bitbucket to provide an early warning system for your in-house development

Product Overview