Single-Tenant Security
Each site is deployed in a secure, isolated environment, providing dedicated resources and data isolation.
Security Grounded in Site Isolation
Merlin Alchemy is the only ediscovery platform that deploys each client in its own fully isolated infrastructure. Where most legal technology platforms run on shared, multi-tenant systems, Merlin provides each client with a separate AWS account, a secure, separate environment, and dedicated computing resources. This is not a marketing distinction — it is a fundamental architectural difference that changes how your data is protected.
How it Works
Each client environment operates as a standalone deployment with its own network, servers, databases, and storage. The practical effect:
- Separate AWS accounts per client. Your environment is administratively and cryptographically isolated from every other client. There is no shared database, no shared infrastructure, and no possibility of cross-tenant data exposure.
- Private subnets with no direct internet access. All servers run inside private subnets within a secure,locked-down VPC. There are no public IP addresses on any application server. External access is routed exclusively through a load balancer, and all communication with cloud services occurs over private network links.
- Dedicated resources per matter. Each deployment receives its own processing power, memory, and storage — so performance is consistent regardless of what’s happening on other client environments. Environments scale independently as matter requirements grow.
- Matter-specific URLs with independent authentication. Each matter has its own access point and login credentials, keeping matters fully separated even within the same client account.
Why This Matters for Legal Teams
In a multi-tenant platform, a security incident in one client’s environment can ripple across the shared infrastructure. In Merlin’s architecture, the blast radius of any incident is limited to a single, isolated environment. Your data never commingles with another client’s data, and security controls can be customized to meet your specific regulatory or contractual requirements.
This architecture also supports data sovereignty needs. Merlin can deploy client environments in specific AWS regions to comply with local data residency regulations, and can do so within 48 hours.
Independent Validation
Enterprise clients should not take a vendor’s word for its security posture. We agree. Our security program is validated by independent third parties at multiple levels.
SOC 2 Type II Certified
Merlin completed a SOC 2 Type II audit in November 2025, conducted by an independent third-party service auditor. The Type II designation means the auditor evaluated not just the design of our controls but their operating effectiveness over time. The examination covered:
- Control environment and governance
- Risk assessment and management
- Logical access controls
- System operations and change management
- Monitoring and incident response
SOC 2 is developed by the American Institute of Certified Public Accountants (AICPA) and is one of the most widely recognized security standards for SaaS platforms. For enterprise customers with specific compliance requirements, our SOC 2 Type II report is available under NDA.
Regular Penetration Testing
Merlin engages independent security firms to conduct penetration testing of our application and infrastructure. Our most recent third-party assessment was completed in September 2025 by AppSecure, a CREST-accredited and CSA-licensed international cybersecurity firm based in Singapore.
The assessment included:
- Manual testing by certified ethical hackers covering the OWASP Top 10 and Application Security Verification Standard (ASVS)
- Evaluation of AWS infrastructure security controls
- Full remediation of all identified findings, verified through follow-up testing by AppSecure
ISO 27001 — Planned for 2026
Building on our SOC 2 Type II certification, Merlin plans to pursue ISO 27001 certification in conjunction with our next annual SOC 2 audit cycle in 2026.
Security Governance
Merlin’s security program is led by a dedicated Chief Information Security Officer (CISO) who reports directly to the CEO. Our Technology Governance Committee, co-chaired by the CISO and COO, provides security oversight at the executive level. This governance structure ensures security considerations are integrated into business operations, product development, and client delivery.
For more detailed information about our security architecture or to discuss specific security requirements, please contact our team. Our SOC 2 Type II report and penetration test summary are available to qualified prospects under NDA.
Â
Secure. Scalable. Built to Perform.
Enhanced Security
Our single-tenant virtual private cloud architecture provides greater security and data isolation.
Scalable Resources
Quickly scale servers and databases up or down as projects require with dedicated cloud resources.
Global Hosting
Meet data privacy, HIPAA and business requirements with local hosting that can be set up overnight.
The Power of Virtual Private Clouds
Merlin leverages the power of virtual private clouds (VPCs) to provide secure, isolated, and personalized environments for each matter we host.
A VPC is a secure, isolated virtual network within the cloud, designed to offer an optimal level of security and control, similar to a traditional on-premise data center but without the associated physical infrastructure costs. A VPC is housed within a public cloud environment, yet maintains a distinct separation from other users of the cloud, providing a personalized, secure computing environment.
As such, a VPC serves as the backbone for secure and customizable cloud solutions, enabling Merlin to provide:
- Additional isolation by secure subnets
- Control over your environment for HIPAA and data privacy compliance
- Enhanced access restrictions and individual monitoring
Our VPCs have no direct connection to the Internet or outside world except through a highly secure firewall and load balancer that handles traffic to and from each site. Even though it sits in a public infrastructure, servers within the VPC are all but invisible to hackers or other bad actors. Sites within each VPC are isolated with secure subnets, ensuring no commingling of data or server resources.Â
By leveraging VPCs and private subnets, Merlin ensures that each client’s environment is isolated and tailored to their unique security and compliance needs, reinforcing our commitment to providing the highest level of data protection and control for investigations and discovery.
Scalability for Optimal Performance
Merlin’s single-tenant architecture offers unparalleled scalability, ensuring that your ediscovery environment can quickly adapt to your changing needs. With our architecture, you’re not confined to static physical infrastructure. Instead, you have a dynamic computing environment that can effortlessly scale up or down to meet the ebb and flow of your business requirements.
When demand spikes, whether due to sudden influxes of data during large-scale litigation or increased review activity, we can scale up the computing resources within your dedicated environment by:
- Adding more servers, whether to accommodate a heavier review load or to handle unexpected increases in document or data load; orÂ
- Increasing the computing power of existing servers with a few simple clicks, ensuring uninterrupted, high-performance operation, even under heavy loads.
When demand recedes, we can easily scale down resources to prevent unnecessary expenditure. This flexibility offers not just an optimal operational environment but also a cost-effective solution. Our goal is to adapt swiftly to your changing needs, ensuring that you have the right resources at the right time, without overpaying for unused capacity.
Application Security
Single Tenant
Our site run in dedicated environments without data commingling. Each matter runs in separate database, search and storage servers that can be protected from inside and outside intervention.
Multi-Party
We provide private fields and shared folders as standard issue. User groups get private tag sets and shared searches so they can work together while protecting group work products.
Audit Logs
Extensive auditing and logging capabilities let administrators track each person's use of the site. Document views, tags, searches and other actions are tracked throughout.
End to End Encryption
Data is encrypted in transit and at rest to ensure maximum security using industry leading protocols including TLS and AES-256. This ensures that data is protected at all times on the Merlin platform and between Merlin and its users.
Document Lockdown
Requests to view a document must be accompanied by a time-limited Authorization Token before access is granted. This keeps users from improperly sharing files and hackers from traversing file servers.
Permission-Based Roles
Merlin provides granular Role-based Access Control (RBAC) in which every function in the Merlin software platform is available as a permission that can be assigned to a role. Administrators can limit available fields and actions.
Customizable Security
In the world of digital data, the need for robust security and privacy cannot be overstated. Particularly when dealing with PII or data subject to HIPAA, a customized approach to data hosting is not just a nice-to-have, it’s a necessity. Merlin understands this critical requirement and leverages the flexibility of single-tenant architecture to offer highly customizable solutions for each client.
Each single-tenant environment acts as an independent fortress, providing a secure space where data is not only stored but also transmitted and processed under the highest standards of security and privacy. Whether it’s enabling enhanced access restrictions, implementing additional encryption methods, providing special monitoring or securing data transmission channels, we can fine-tune each component of your cloud environment to ensure compliance with GDPR, HIPAA and other data protection regulations.
Global Hosting for Data Privacy
Merlin’s unique architecture offers the flexibility to choose your preferred hosting location, ensuring compliance with data sovereignty requirements. This is particularly crucial in an era of increasing focus on data privacy and security, with regulations like GDPR, CCPA, and HIPAA setting strict standards for how data must be handled.
With Merlin, you can:
- Comply with data privacy regulations: Ensure that your data is subject to the laws and regulations of the country or region where it is hosted, giving you greater control over how your data is handled and helping you meet the requirements of various data privacy regulations.
- Leverage private or government-approved environments: Host your VPC in a client’s private AWS environment or a government-approved FedRAMP environment, depending on your specific compliance and security needs, such as those outlined in HIPAA or other industry-specific regulations.
- Adapt to changing regulatory landscapes: Quickly and easily adjust your hosting location as data privacy and security regulations evolve, ensuring ongoing compliance with new or updated standards like the CPRA.
By providing the freedom to choose your hosting location, Merlin empowers you to meet your unique data sovereignty requirements, no matter where your ediscovery needs take you. Whether you’re navigating GDPR, CCPA, HIPAA, or other data privacy regulations, Merlin’s global hosting options ensure that you can maintain compliance and keep your data secure.
Bring Us Your Toughest Matters
Merlin Alchemy was named “Game Changer, The Most Innovative New: Legal Technology for 2024” by ACEDS London.