Your data is our priority. Mergin Maps protects the data you collect in the field, store in the cloud, or operate on your own server – from architectural design to daily operations. Mergin Maps is designed to be secure, reliable, and suitable for organizations working with sensitive geospatial data, including local governments, utilities, and private companies.
Privacy Policy: https://merginmaps.com/privacy-policy
Mergin Maps is a platform for collecting and synchronizing geospatial data, built on QGIS. It allows you to work with data in the field, both online and offline, and to synchronize changes to a central repository.
The platform is available in three primary variants:
• Mergin Maps Cloud: fully managed cloud service operated by the Mergin Maps team
• Mergin Maps Enterprise Edition (EE): on-premise solution hosted on the customer’s infrastructure, with commercial support and service level agreements (SLA)
• Mergin Maps Community Edition (CE): open-source variant that can be self-hosted under the AGPL license
These options allow organizations to choose a model that matches their specific security and legal requirements, from a fully managed cloud to an environment where the customer retains complete control over servers, access, and data.
Licensing of Mergin Maps products: https://merginmaps.com/licenses
Mergin Maps licensing overview (Cloud, EE, CE, open-source components): https://merginmaps.com/docs/misc/licensing/
The Mergin Maps cloud service is hosted on Amazon Web Services (AWS), one of the most secure and well-audited cloud platforms in the world.
Amazon (Amazon Web Services, Inc.) states that its environment complies with numerous internationally recognized standards and frameworks, including ISO/IEC 27001, SOC 1, SOC 2, SOC 3, the EU Cloud Code of Conduct (Level 3), GDPR, and readiness for NIS2 requirements.
AWS’s established and appropriate measures are detailed in the official AWS Security & Compliance Whitepaper, confirming that AWS:
• maintains an Information Security Management System (ISMS) aligned with ISO 27001
• operates its services according to best practices in physical datacenter security
• applies encryption, access control, monitoring, and operational continuity
• undergoes regular independent audits and certifications to ensure transparency and customer trust
This foundation enables Mergin Maps to build its security on a reliable, internationally certified technology platform.
Servers and stored data are physically located within the EU (Ireland).
For customers using Mergin Maps Cloud, the Mergin Maps team ensures both security and service reliability through:
• Encrypted connections – access to the web interface and API is secured via HTTPS (TLS)
• Access control and permissions – projects can be shared only with specific users or teams, with granular permissions (read, write, etc.)
• Versioning and change history – changes to projects are versioned to improve auditability and allow rollback
• Infrastructure monitoring and management – the cloud service is continuously updated and monitored
• SLA options – larger customers may negotiate support levels and response times through an SLA
Support and SLA overview: https://merginmaps.com/support
Customers who need full control over data, environment, and security policies can choose:
• Mergin Maps Enterprise Edition (EE): commercial on-premise solution with support, SLA, and a clear licensing model
• Mergin Maps Community Edition (CE): open-source variant (AGPL) that can be deployed on self-managed infrastructure
To support secure deployment, Mergin Maps provides detailed documentation, including:
• how to install the Mergin Maps server
• how to configure the environment for production
• how to set up a reverse proxy (e.g., Nginx) and enable HTTPS
• how to configure important security headers and limitations
• how to adapt settings to meet your organization’s security policies
The sections “Secure Mergin Maps installation” and “Server environment” contain specific recommendations for production deployments, including configuration examples.
Secure Mergin Maps installation: https://merginmaps.com/docs/server/security/
Server environment and security settings: https://merginmaps.com/docs/server/environment/
Install Mergin Maps server (CE/EE): https://merginmaps.com/docs/server/install/
The Mergin Maps mobile app for Android and iOS allows working with QGIS projects in the field, both online and offline. From a security perspective, it:
• uses Android/iOS platform security to store credentials and handle data on the device
• communicates with the server over encrypted connections (HTTPS)
• respects server-side permissions and access controls
• is designed for use with sensitive geospatial data, even in low-connectivity environments
Mergin Maps on Google Play: https://play.google.com/store/apps/details?id=uk.co.lutraconsulting
Mergin Maps on App Store: https://apps.apple.com/nz/app/mergin-maps-qgis-in-pocket/id1478603559
Much of the Mergin Maps ecosystem is open-source, allowing independent verification, auditability, and customization:
• Mergin Maps server: open-source repository on GitHub (Community Edition)
• Mergin Maps mobile app: open-source mobile app repository
• Other integration tools (e.g., work packages, sync tools): typically under the MIT license
Thanks to the open codebase, customers and their security teams can conduct security audits, code reviews, and make custom modifications.
Mergin Maps server (GitHub): https://github.com/MerginMaps/server
Mergin Maps mobile app (GitHub): https://github.com/MerginMaps/mobile
Licensing overview including MIT-licensed tools: https://merginmaps.com/docs/misc/licensing/
If you discover a security vulnerability in Mergin Maps – whether in the cloud service, on-premise server, or mobile app – we appreciate a secure and responsible report.
• Do not exploit the vulnerability to attack, access others’ data, or disrupt the service
• Do not publicly share vulnerability details until it is resolved
• Provide us with as much detail as possible to help us reproduce and fix the issue
• Contact: security@merginmaps.com or support@merginmaps.com with subject line "Security issue"
We follow the principles of the ISO/IEC 27001 international standard and have implemented information security management processes across our organization and the development of Mergin Maps.
We are currently finalizing preparations for official certification, which will confirm the level of security we already maintain.
In practice, this means:
• risk management processes are in place
• security and privacy are built into product development (security-by-design, privacy-by-design)
• least privilege principles and access controls are enforced
• regular reviews, audits, and security updates are performed
• penetration testing is conducted
• employees are trained in data security and protection
• non-disclosure agreements are in place for all employees and external collaborators
• onboarding and offboarding procedures ensure access control
• there are established procedures for reporting and resolving security incidents
• regular backups are made, with verified recoverability
• operational procedures support incident management, business continuity, and change management
• all communication is encrypted using HTTPS/TLS
• maintenance and operation include:
• regular software updates and vulnerability management
• system monitoring and event logging
• separation of production and development environments
These practices are not new – they have long been a part of our daily operations across development, operations, and support teams.
If you require a detailed security overview, a security questionnaire, or documents for internal audits and compliance, contact us at sales@merginmaps.com. We provide technical and organizational security information upon request.
