Data Policy

MergeLoom is designed for tenant isolation. Workspace records, integration credentials, repository catalog metadata, code-derived evidence, run artefacts, and audit summaries are scoped to a single tenant and are not shared across tenants.

• Tenant and workspace records
• User accounts, authentication, and access control
• Worker enrollment for both Cloud Hosted and Self Hosted
• Billing, plan state, and Stripe coordination
• Connector and integration configuration state
• Repository catalog metadata (identifiers, names, default branches)
• Workflow settings and Quality Agent configuration
• Job leasing, scheduling, and status
• Ticket intake polling and PR/MR creation or update
• Audit and event summaries, plus minimal job metadata

• Repository clone, fetch, and branch preparation
• Local prompt assembly and context selection
• AI execution against the configured provider path
• Setup, test, and validation commands
• Repair loop and Quality Agent stages
• Branch push and PR/MR handoff
• Local audit, live traces, and Code Audit evidence
• Live run state during execution

Cloud Hosted runs use MergeLoom-managed worker infrastructure with tenant-isolated runtime boundaries. The current AI model provider for Cloud Hosted execution is Anthropic, used through MergeLoom; AI credits are supplied and billed through MergeLoom. Temporary execution data is deleted after the run completes. Prompts, logs, traces, and audit records are retained according to plan type and workspace settings.

Self Hosted runs execute inside the customer's environment. Repository checkout, context assembly, AI execution, tests, validation, repair attempts, branch push, worker-local traces, worker-local audit, and Code Audit evidence stay within the customer-controlled worker boundary. The customer controls the infrastructure, provider path, network access, repository access, credentials, and runtime environment. The MergeLoom control plane stores coordination and configuration metadata and safe operational summaries; the control plane does not store full Self Hosted source code or deep execution traces by default.

Context Engine may index selected repositories and documentation, build manifests and relationship evidence, create Context Vault documents, map services, modules, APIs, events, and dependencies, return snippets and context packs, and produce audit evidence describing what context shaped a run. Context Engine artefacts are tenant-scoped and used only to support runs and answer repository questions for that tenant.

Atlassian Jira Cloud is used for ticket intake, comments, and workflow updates. Confluence Cloud may be configured as a documentation source; Confluence page bodies are fetched by the worker path when needed for a run, and the control plane does not store all Confluence page bodies by default.

GitHub, GitLab, and Microsoft Azure DevOps integrations are used for repository operations and PR or MR output. Repository clone, fetch, and push happen from the worker path.

monday.com and Linear are used for ticket and item intake and status updates.

Slack and Microsoft Teams are optional review notification destinations that the customer can configure.

MergeLoom does not train foundation models on customer source code. AI provider calls are bounded by the configured provider path and tenant scope. Self Hosted customers may select Codex CLI, Claude Code CLI, Codex API, Claude / Anthropic API, OpenAI-compatible private endpoints (with tool and function calling), Google Vertex AI, AWS Bedrock, or Azure AI Foundry; those calls run under the customer's own provider contracts and security controls.

Data in transit is protected using modern transport encryption. Data at rest within MergeLoom-managed components is encrypted using industry-standard mechanisms. Self Hosted customers are responsible for encryption configuration within their own worker environment.

Cloud Hosted temporary execution data is deleted after the run completes. Prompts, logs, traces, and audit records are retained according to plan type and workspace settings. Self Hosted customers control retention of worker-local traces and Code Audit evidence stored in their environment. Customers may request deletion of tenant data, subject to legal, contractual, and audit retention requirements; deletion procedures are described in the documentation and the applicable subscription terms.

For the current list of providers used to operate the website, controller, billing, support, email, analytics, Cloud Hosted AI execution, and scheduling, see the Subprocessors page.