Security is built in, not bolted on
From the first line of code, StageMerge was designed to treat your data as something to be protected. The practices below are not aspirations — they are how the product works today.
Encryption everywhere
- In transit. All communication with StageMerge is protected by TLS/HTTPS, keeping your data private as it moves across the network.
- At rest. Your sensitive Contentful credentials are encrypted with AES-256-GCM — an authenticated encryption standard — before they are ever written to our database.
Passwords are hashed, never stored
We protect every password with argon2id, a modern, memory-hard hashing algorithm designed to resist brute-force attacks. We never store your password in plaintext, which means no one — including us — can ever read it.
Least-privilege credential handling
The Contentful API tokens you entrust to us are decrypted only in memory, only at the exact moment they are needed, and only to perform an action you explicitly requested. They are never exposed to the browser or logged in plaintext.
Safe-by-default workflows
StageMerge is designed to prevent accidental data loss. Changes are presented for your review before they are applied, and protective guardrails help ensure that merges happen deliberately and transparently.
Account protection
- Secure, session-based authentication keeps your account safe.
- Email verification and protected password-reset flows guard against unauthorized access.
- Rate limiting and anti-enumeration protections defend sensitive endpoints.
Responsible disclosure
We deeply value the security community. If you believe you have found a vulnerability, please let us know privately at support@stagemerge.com and we will respond promptly. We are committed to investigating and addressing every legitimate report.
Your part in staying secure
Security is a partnership. Using a strong, unique password and keeping your Contentful tokens scoped to only the access you need helps us keep your data as safe as possible.