Security Policy

Last updated: August 15, 2025

At BetterMerge, we take the security of your data seriously. This Security Policy outlines the measures we implement to protect your information, email campaigns, and Google account data when using our mail merge service.

1. Our Security Commitment

BetterMerge is committed to maintaining the highest standards of security and data protection. We implement multiple layers of security controls to protect your data from unauthorized access, disclosure, alteration, and destruction.

🔒 Security First Approach

Security is not an afterthought at BetterMerge—it's built into every aspect of our service from the ground up.

2. Infrastructure Security

2.1 Hosting and Data Centers

  • Secure Data Centers: Our servers are hosted in enterprise-grade data centers in the United States with 24/7 physical security, biometric access controls, and environmental monitoring
  • Redundancy: Multiple server instances and backup systems ensure service availability and data protection
  • Network Security: Protected by enterprise firewalls and intrusion detection systems

2.2 Network Protection

  • Cloudflare Protection: All traffic is routed through Cloudflare's global network, providing DDoS protection, Web Application Firewall (WAF), and SSL/TLS encryption
  • SSL/TLS Encryption: All data transmission between your browser and our servers is encrypted using industry-standard TLS 1.3
  • HTTPS Everywhere: Our entire service operates over secure HTTPS connections

3. Authentication and Access Control

3.1 User Authentication

  • Google OAuth 2.0: We use Google's secure OAuth 2.0 authentication system—we never store your passwords
  • Multi-Factor Authentication: Leverages Google's own MFA and security systems for your account protection
  • Session Management: Secure session handling with automatic timeout and secure token management

3.2 Data Access Controls

  • Minimal Permissions: We only request the minimum Google account permissions necessary for our service to function
  • User-Controlled Access: You can revoke our access to your Google account at any time through your Google Account settings
  • Principle of Least Privilege: Our systems operate with the minimum access required for each function

4. Data Protection

4.1 Data Encryption

  • Encryption at Rest: Sensitive data and authentication credentials are encrypted using industry-standard encryption algorithms with our own encryption keys
  • Encryption in Transit: All data transmission is protected using TLS 1.3 encryption
  • Secure Credential Management: Authentication credentials and access tokens are securely handled with appropriate protection measures

4.2 Data Minimization

  • Limited Data Storage: We only store data necessary for service functionality—we don't store your Google Sheets content or sent email content
  • Metadata Only: For Google Sheets, we store only metadata (names, IDs) not the actual data content
  • Automatic Cleanup: System logs are automatically deleted after 30 days

5. Server and Application Security

5.1 Server Hardening

  • SSH Key Authentication: Server access is restricted to SSH key authentication only—no password access
  • Firewall Protection: Properly configured firewalls restrict access to necessary ports only
  • Regular Updates: Operating systems and security patches are regularly updated
  • Minimal Attack Surface: Only essential services are installed and running

5.2 Application Security

  • Secure Development: Security best practices are followed throughout the development process
  • Input Validation: All user inputs are properly validated and sanitized
  • Error Monitoring: Sentry error tracking helps us identify and fix security-related issues quickly

6. Privacy and Compliance

  • Google API Compliance: We strictly adhere to Google's API Services User Data Policy and Limited Use requirements
  • GDPR Compliance: Appropriate safeguards for EU users including data transfer protections and user rights
  • Privacy by Design: Privacy considerations are built into every feature and process
  • No Data Selling: We never sell, rent, or trade your personal information to third parties

7. Monitoring and Incident Response

7.1 Security Monitoring

  • 24/7 Monitoring: Automated monitoring systems watch for security threats and anomalies
  • Error Tracking: Real-time error monitoring helps detect and respond to issues quickly
  • Access Logging: All system access is logged and monitored for suspicious activity

7.2 Incident Response

  • Rapid Response: Security incidents are addressed immediately upon detection
  • User Notification: In case of a data breach affecting personal information, we will notify affected users within 72 hours
  • Containment and Recovery: Established procedures for containing incidents and restoring service security

8. Third-Party Security

We carefully select and monitor third-party services used in our operations:

  • Google Services: Firebase Authentication with enterprise-grade security
  • Sentry: Error monitoring and performance tracking with data anonymization and retention controls
  • Paddle: PCI-compliant payment processing—we never store payment card information
  • Cloudflare: Enterprise security services including DDoS protection and WAF
  • Vendor Assessment: All third-party services are evaluated for security and privacy compliance

9. Your Security Responsibilities

While we implement comprehensive security measures, your security also depends on your actions:

👤 User Security Best Practices:

  • Keep your Google account secure with strong passwords and 2FA
  • Regularly review your Google account security settings
  • Only use BetterMerge on secure, trusted devices
  • Log out when using shared or public computers
  • Report any suspicious activity to our support team
  • Ensure you have proper consent before sending email campaigns

10. Security Updates and Improvements

Security is an ongoing process. We continuously work to improve our security posture:

  • Regular Security Reviews: Periodic assessment of our security measures and practices
  • Vulnerability Management: Proactive identification and remediation of potential security issues
  • Security Updates: Regular updates to address new threats and vulnerabilities
  • Industry Standards: Following current security best practices and industry standards

11. Reporting Security Issues

We appreciate and encourage responsible disclosure of security vulnerabilities. If you discover a security issue:

🚨 Security Contact:

  • Email: support@bettermerge.com
  • Subject Line: "SECURITY: [Brief Description]"
  • Response Time: We aim to respond within 24 hours
  • Please include: Detailed description, steps to reproduce, and impact assessment

We request that you:

  • Do not access or modify data that doesn't belong to you
  • Do not perform actions that could disrupt our service
  • Allow us reasonable time to address the issue before public disclosure
  • Do not use the vulnerability for personal gain

12. Contact Us

For questions about our security practices or this Security Policy:

This Security Policy is part of our commitment to transparency and user trust. We will update this policy as our security practices evolve.