Analyst using pen to point to data on computer screen

Merrill Corporation

Security

Does DatasiteOne offer IRM (Information Rights Management) controls for increased document security?

Yes. Integrated IRM technology enables Project Administrators to set revoke access to downloaded documents (Microsoft Office and PDF files) by role. Other file types will be downloaded as a watermarked PDF if watermarking is enabled on the project.

Can I add a project disclaimer?

Yes. DatasiteOne Project Administrators can either use the standard project disclaimer or customize the disclaimer to meet specific project requirements. Frequency settings include First Login or Every Login.

How can I ensure all confidential documents are secure inside Merrill DatasiteOne?

As a multi-tenant cloud application, Merrill DatasiteOne uses the latest cloud security best practices.

  • User information, application data and logs are stored and maintained separately
  • Passwords are treated with cryptographic hash algorithms
  • Customer supplied files encrypted at-rest with AES 256-bit encryption and backed up according to a pre-defined schedule
  • In-transit data secured via Transport Socket Layer (TLS) 1.2 protocol
  • Events captured, analyzed and actioned in real time
  • Customer files accessed only upon request and supported by documented access review and change management processes
  • Upon project closure, project files are purged after 30 days

How does DatasiteOne mitigate risk under the General Data Protection Regulation (GDPR)?

Merrill is already compliant with the existing Data Protection Directive 95/46/EC and proactively took the steps required to continue compliance as GDPR became effective on May 25, 2018. Merrill has a working group that regularly reviews, maintains and improves Merrill’s data protection policy.

  • Merrill is ISO/IEC 27001 certified – Merrill’s processes are audited against global standards required for maintaining confidentiality, security and integrity for all data that Merrill processes.
  • Merrill’s platforms (Merrill DataSite, Merrill DatasiteOne) provide clients with the opportunity to manage uploaded data, including choosing the level of access for any user. While Merrill can facilitate, the client is ALWAYS in control of its data.
  • Merrill has invested in European client support and hosting facilities to maintain localization of data in the EU.
  • Merrill’s U.S. entity is Privacy Shield certified for clients with cross border requirements.
  • Merrill conducts privacy impact assessments on a regular basis and provides training on data privacy obligations to ensure best practices are met and industry leading solutions are implemented where personal information is concerned.

How does Merrill protect project data?

Our dedicated security organization drives alignment across Merrill for deep risk management and strong governance. Security measures include:

  • All Merrill product offerings have been ISO 27001 certified since 2008
  • Merrill DatasiteOne has received SSAE 16 SOC 2 Type II attestation
  • Merrill is EU-US Privacy Shield certified and GDPR compliant
  • Our infrastructure provider is ISO 27001, SSAE 16 SOC 2 Type II compliant and FedRAMP certified
  • Merrill employees, where legally possible, are subject to background checks that includes screening for drugs, qualifications and previous employment
  • All Merrill staff are subject to mandatory annual security training, including acknowledgment of security and conduct codes and non-disclosure agreements
  • Security incident response plan tested annually and includes external and internal notification, escalation procedures and communication criteria
  • Disaster recovery plan tested at prescribed intervals to ensure compliance with self-imposed timeframes and quality objectives