Mergo's Security Assessment

This article answers the question: "Can I trust Mergo with my Google data?" And the answer is Yes. Mergo undergoes a yearly mandatory security audit from Google empanelled security assessors. This assessment helps keep Mergo users’ (your) data safe by verifying that Mergo has the capability in handling data securely and in deleting user data upon user request.

In this article

Security Assessment (Annual Recertification)

Every app that requests access to restricted scope Google user’s data (e.g., access to your Gmail inbox to check if your campaign recipients have responded) and has the ability to access data from or through a third-party server (i.e., Mergo) is required to go through a security assessment from Google empanelled security assessors. 

This assessment helps keep Google users’ data safe by verifying that all apps that access Google user data (i.e., Mergo) demonstrate capability in handling data securely and deleting user data upon user request. 

In order to maintain access to restricted scopes, Mergo needs to undergo this security assessment on an annual basis, this process is called the Security Reassessment, also known as Annual Recertification.

To date, these security firms have audited Mergo:

  February 2022 - NCC Group

  2021 (No reassessment required by Google)

  June 2020 - Bishop Fox

Note: Letters of Assessments (LoA) from our Penetration Testing partners (Google empanelled security assessors) are available upon request.
Email us at support@mergo.app.


What does the security assessment include?

The security assessment includes the following: 

1

External Network Penetration Testing 
Identification of potential vulnerabilities in external, internet-facing infrastructure and systems. 

Expand
  • Discovery and enumeration of live hosts, open ports, services, unpatched software, administration interfaces, authentication endpoints lacking MFA, and other external-facing assets
  • Automated vulnerability scanning combined with manual validation
  • Brute-forcing of authentication endpoints, directory listings, and other external assets
  • Analysis of potential vulnerabilities to validate and develop complex attack chaining patterns and custom exploits
  • Potential exploitation of software vulnerabilities, insecure configurations, and design flaws
2

Application Penetration Testing 
Identification of potential application vulnerabilities in the application that accesses Google user data.

Expand
  • Real-world attack simulation focused on identification and exploitation
  • Discovery of attack surface, authorization bypass, and input validation issues
  • Automated vulnerability scanning combined with manual validation
  • Exploitation of software vulnerabilities, insecure configurations, design flaws, and weak authentication
  • Analysis of vulnerabilities to validate and develop complex attack chaining patterns and custom exploits
  • Verify the ability for users to delete their account with no external indication that the user or user's content is accessible
3

Deployment Review 
Identification of potential vulnerabilities in the infrastructure deployment that could lead to the compromise of Google user data.

Expand
  • Gathering all available configuration settings and metadata as well as manual techniques to build a profile of the cloud environment
  • Analyzing collected information to identify any gaps or deviations from accepted cloud security best practices
  • Manually examining configuration settings to locate anomalies and issues such as weak IAM policies, exposed storage containers, poorly defined security groups, insecure cloud services usage, and insecure key management
  • Exploitation of vulnerabilities, insecure configurations, design flaws, and weak authentication—as needed
  • Verifying that storage of OAuth tokens and user data from Restricted Scopes is encrypted at rest and keys and key material are managed appropriately, such as stored in a hardware security module or equivalent-strength key management system
  • Ensuring that developer access to the deployment environment is secured with multi-factor authentication
4

Policy and Procedure Review 
Review and examination of information security policies and procedures provided via the Self-Assessment Questionnaire (SAQ).

Expand
  • Incident Response Plan: Establishes roles, responsibilities, and actions when an incident occurs
  • Risk Management Policy: Identifies, reduces, and prevents undesirable incidents or outcomes
  • Information Security Policy: Ensures that all users comply with rules and guidelines related to the security of the information stored digitally at any point in the network
  • Privacy User Data Detection: Ensures that users can delete their accounts and related user data by demonstrating an account deletion if relevant


For more information, please reference Mergo's auxiliary policies:  


User Account Deletion 

Please visit our User Account Deletion section under our Privacy Policy.