Security and data handling

Security at MergeYard

This page describes the current MergeYard Zendesk app and public website in reviewer-friendly terms, using conservative language tied to the product that exists today.

MergeYard is operated by CatsDojo LLC.

Identity and access

How agents and workspaces are protected

Authentication

For Marketplace distribution, MergeYard uses Zendesk-approved OAuth flows for customer authorization and agent sign-in.

MergeYard does not require customers to share long-lived Zendesk API tokens for normal production use.

Development-only or private-test utilities, if present, are disabled for production Marketplace installations.

Authorization and workspace access

Workspace access is scoped to authenticated users in the relevant MergeYard workspace.

Private channels, direct messages, and restricted collaboration spaces are limited to authorized participants rather than the full workspace.

Administrative settings such as workspace mapping, seats, approvals, and access rules are handled through authenticated administrative workflows.

Data inventory

What MergeYard processes and stores

Zendesk data accessed

MergeYard may process the following Zendesk-related data when needed for the app:

  • Zendesk subdomain and workspace context;
  • authenticated agent identity used for sign-in and workspace access control;
  • ticket ID used to create or reopen the correct ticket-linked discussion;
  • limited ticket context such as the ticket subject used to label the discussion.

The current ticket-linked discussion flow does not rely on the full ticket body or requester identity to create and label the linked discussion.

MergeYard collaboration data

MergeYard stores collaboration content created by users inside MergeYard, including:

  • channels and channel membership state;
  • messages, replies, and thread activity;
  • direct messages;
  • ticket-linked discussions and related ticket references;
  • call metadata and conversation linkage where applicable;
  • workspace configuration and audit-oriented operational records.

Storage and lifecycle

How MergeYard handles data over time

Data storage

Traffic to MergeYard is intended to use HTTPS and TLS in transit.

Production data is stored on infrastructure and managed services that support encryption at rest.

Operational access to production systems is restricted to authorized personnel with a business need.

Data retention and deletion

MergeYard retains workspace configuration, collaboration records, and operational data for as long as reasonably necessary to operate the service, maintain security, comply with law, and support customer obligations.

Questions about retention, return, deletion, or workspace offboarding can be sent to privacy@mergeyard.com.

Subprocessors

The current public subprocessor inventory is available on the Subprocessors page.

At the public website level, the current disclosed production infrastructure provider is DigitalOcean. Additional vendor detail can be provided during customer review as appropriate.

Support and security contact

Use the contacts below for security questions, reviewer follow-up, privacy requests, or support escalation.

security@mergeyard.comsupport@mergeyard.com