Merion Trust Centre

Security, Privacy & Compliance

Everything you need to assess Merion's security posture, privacy practices, and regulatory compliance — documented openly for creditor partners, debtors, and auditors.

What's covered

Three pillars — security, privacy, compliance

Merion is a technology-first debt recovery firm. Our platform stores sensitive financial data on behalf of creditors and debtors across eastern Australia. We hold ourselves to a high standard — and we publish the evidence.

Security

AES-256-GCM encryption at rest, TLS/HSTS in transit, OIDC SSO with PKCE, passwordless debtor access, multi-tenant isolation, and continuous monitoring via Sentry.

Privacy

Personal information handled under the Australian Privacy Principles (Privacy Act 1988). Separate data streams for creditors and debtors. Rights-based access and a clear request process.

Compliance

Operates under the ACCC/ASIC Debt collection guideline and ASIC RG 96. No Commercial Agent Licence required in QLD, VIC, NSW or ACT. Complaints handled through a published pathway.

Data Handling

Defined data lifecycle — collection, use, retention and deletion. Field-level PII encryption. Documented breach response procedure. Published retention schedule.

Sub-Processors

Stripe for payments, Hostinger for hosting, Cloudflare for DNS/CDN/WAF, Anthropic and OpenAI for optional AI features, Sentry/GlitchTip for error monitoring.

Reliability

Architecture designed for continuity. Error monitoring, health checks (api.merion.com.au/health), and a structured incident response process.

At a glance

Key security & compliance facts

Encryption at rest: AES-256-GCM
Encryption in transit: TLS 1.2+ / HSTS
Authentication: OIDC ES256 / PKCE S256
Payment handler: Stripe (PCI DSS Level 1)
Privacy framework: Australian Privacy Principles
Debt collection standard: ACCC/ASIC Guideline
Error monitoring: Sentry / GlitchTip
Access control: Multi-tenant isolation

Detailed documentation

Explore the Trust Centre

Security — encryption, authentication, SSO, access control, audit logging, file handling, monitoring Privacy — data collection, purpose, retention, rights, privacy requests Compliance — ACCC/ASIC guideline, ASIC RG 96, licensing notice, complaints/EDR Sub-Processors — all third-party processors, data categories, locations Data Handling — lifecycle, encryption, backups, breach response, retention Reliability — uptime, architecture, monitoring, API health Responsible Disclosure — how to report a vulnerability FAQ — common questions on trust, security and privacy

Questions?

Have a trust or security question?

Our team is happy to answer questions from prospective clients, existing partners, or debtors about how we handle data.