Security Review for Merge Powered Integrations

As a part of your setup and onboarding process, Merge will provide you with a link to submit your security information to Gusto.

In order to maximize the likelihood of passing Security Review, please be prepared to provide the following:

• Documentation
  • All current security related audits and supporting documentation
    • E.g. SOC 2 Type 2, ISO 27001 + SOA, PCI DSS etc.
  • Penetration test report(s)
  • All other relevant security and privacy related documentation, reports, audits, certificates and policies
    • E.g. Incident response, privacy, physical security and data retention/destruction policies
• Points of Contact
  • Security contact name, title and email address
  • Incident Response contact name, title and email address
• If you do not have a formal security audit (SOC 2 Type 2, ISO 27001, PCI DSS etc.), information on:
  • Background check policies
  • Confidentiality agreements
  • Security awareness trainings
  • Physical security controls
  • Employee endpoint controls
  • Multi-factor authentication
  • Access control program
  • Vulnerability avoidance
  • Bug bounty program
  • Privacy policy
  • Compliance with relevant data privacy regulations
  • Strategies for protecting the confidentiality and integrity of network communication
  • Incident response policies and procedures
  • Vulnerability scanning
  • Vulnerability remediation
  • Third party vendor management program
  • Encryption of data at rest
  • Encryption of data in transit
  • Data retention and destruction policies
  • Function level authorization
  • Access control mechanisms
  • Authorization mechanisms at the record level
  • Standards for authentication, token generation, password generation and storage
  • Brute force protections
  • Resource and rate limiting
  • API level protections, validations, filters and sanitation
  • Security configuration reviews
  • API security improvement policies