MergeBase Plugins/Apps – Data Security and Privacy Policy

Introduction

Please read this data security and privacy policy carefully before using MergeBase Plugins.

In addition to our core application security products, MergeBase also publishes and maintains marketplace apps, plugins, and add-ons (referred to generally as “plugins” in this document). These plugins are available in several popular development and security marketplaces (e.g., Atlassian, Azure, Github). 

Our plugins comply with specific Data Security and Privacy Policy requirements which are detailed below.

Data Security

MergeBase plugins have two modes of operation: basic, and enhanced. In the basic mode, the plugin is not permitted to invoke any network activity whereas in enhanced mode, when configured to do so by a plugin administrator, the plugin can be configured to download fresh global vulnerability data. It can also be configured to send vulnerability scans to a customer-controlled MergeBase cloud server running on MergeBase cloud infrastructure.

By default, MergeBase plugins are always initially installed in basic mode, and plugin administrators at the customer’s organization must consciously enable the enhanced mode.

Basic Mode

MergeBase plugins never store any data outside your company’s assets. They only transmit data between your assets (e.g., your corporate on-prem Bitbucket server; your Github cloud subscription) and your users’ computers.
The staff of MergeBase Software Inc. have no way to see any of your data, and no way to communicate with any MergeBase plugin installs. MergeBase plugins never “phone home”.

Enhanced Mode

When switched to “Enhanced” mode (by staff at the customer’s organization), MergeBase plugins can be configured to download fresh global vulnerability data. They can also be configured to upload vulnerability scans to customer-assigned MergeBase cloud servers.

Vulnerability scans might upload build files (e.g., pom.xml, *.csproj, package-lock.json, etc.) and 64-bit component hashes that MergeBase uses to calculate vulnerabilities. No source code is uploaded EXCEPT for build files – for example, we would never upload *.java or *.cs files to the customer-assigned MergeBase cloud server.

The customer-assigned cloud servers include their own isolated databases and their own isolated logging and application server deployments. At MergeBase we do not combine customer data on our cloud servers and we always keep each customer’s data isolated from all other customers (both on disk and in memory).

Privacy Policy

In addition to MergeBase’s corporate Privacy Policy, MergeBase plugins also comply with the following additional policy:

Unless you have notified us otherwise (see condition #2, below), you consent to receive marketing emails from MergeBase Software Inc. Note: we will only use email addresses associated with the administrator accounts that installed the plugin.

You are free to withdraw your consent to receive marketing emails from us at any time. You can withdraw your consent by emailing us at julius@mergebase.com or clicking on the “unsubscribe” link at the bottom of any of our marketing emails.