Security

Meridian is built on infrastructure from established, audited providers:

• SupabasePostgreSQL database and file storage hosted on AWS EU (Ireland). Supabase maintains SOC 2 Type II compliance.
• VercelApplication hosting with automatic TLS and global edge network. Deployed from a protected main branch with no manual server access.
• ClerkAuthentication provider. SOC 2 Type II certified. Handles all credential storage — Meridian never stores passwords.
• StripePayment processing. PCI DSS Level 1 certified. Meridian does not store or transmit card data.
• AnthropicAI model provider. Enterprise API terms apply to all data processed. API inputs are not used for training.

All data in transit is encrypted using TLS 1.2 or higher. All data at rest is encrypted using AES-256 at the infrastructure level.

Canvas content, uploaded documents, and extracted text are stored in Supabase with row-level security policies. Each organisation's data is logically isolated — no organisation can access another's data.

Production database access is restricted to a small number of engineers via Supabase's access control system. All production access is logged and reviewed. No customer data is accessed without a specific operational need.

Internal access follows the principle of least privilege. Engineer access is reviewed when roles change and revoked immediately on departure.

We follow secure development practices including:

• —All user input is validated and sanitised server-side before persistence.
• —API routes require authentication and enforce organisation-level authorisation checks.
• —Dependencies are monitored for known vulnerabilities via automated tooling.
• —Code is reviewed before merging to the main branch.
• —Environment variables and secrets are never committed to version control.

In the event of a security incident that affects customer data, we will notify affected users by email within 72 hours of becoming aware of the breach, in accordance with UK GDPR requirements. Notifications will include the nature of the breach, data affected, likely consequences, and steps we are taking to address it.

If you discover a security vulnerability in Meridian, please report it to security@meridian.so before making it public. We ask that you:

• —Give us reasonable time to investigate and remediate before public disclosure.
• —Do not access or modify data belonging to other users.
• —Do not perform denial-of-service attacks or automated scanning against production systems.

We acknowledge all valid vulnerability reports within 48 hours and will keep you updated as we work through a fix. We do not currently offer a paid bug bounty programme, but we are grateful for responsible disclosure.

For security concerns, contact security@meridian.so. For general data protection questions, contact privacy@meridian.so. We take all security reports seriously and treat them as high priority.