Security Overview

Meridian is an enterprise-grade knowledge transfer platform designed with security-first principles. This document outlines our comprehensive security measures for both cloud and on-premises deployments.

Security Architecture

Zero-Trust Authentication & Authorization

Multi-Layer Authentication

  • JWT-based authentication with RS256/ES256 verification against Supabase JWKS
  • JWKS caching with ETag and periodic refresh; supports automatic key rotation
  • Multi-factor authentication (MFA) required for all administrative access
  • OAuth 2.0 and OpenID Connect protocols for enterprise SSO integration
  • Session management with secure cookies (HttpOnly, Secure, SameSite)

Row-Level Security (RLS)

  • Database-level RLS enabled for all core tables (forms, templates, knowledge, profiles)
  • User-scoped data access enforcement via automated policies
  • Role-based access control (RBAC) with principle of least privilege
  • Granular permissions beyond ownership for organizational hierarchies

API Security

  • Configurable authentication requirements with request-level validation
  • Input validation via FastAPI/Pydantic schemas
  • Rate limiting and brute force protection
  • Strict CORS allowlist for trusted origins
  • Account lockout policies for suspicious activity

Data Protection & Encryption

Encryption Standards

Data at Rest

  • AES-256 encryption for all stored data
  • Database encryption with managed encryption keys
  • File storage encryption before cloud infrastructure storage
  • Separate encryption keys by data classification level

Data in Transit

  • TLS 1.3 for all data transmission between clients and servers
  • Certificate pinning for API clients
  • End-to-end encryption for sensitive knowledge transfers
  • Secure WebSocket configuration via reverse proxy

Knowledge Data Security

AI Model Security

  • Secure transmission of prompts to AI model providers
  • No permanent storage of sensitive data by model providers
  • Content filtering and safety measures
  • Isolation of user data across different model requests
  • Prompt injection protection and adversarial attack mitigation

Infrastructure Security

Multi-Cloud Deployment Support

Microsoft Azure

Our primary cloud platform inherits enterprise-grade security through Microsoft Azure:

  • • SOC 1, 2, and 3 compliance
  • • ISO 27001, 27017, and 27018 certifications
  • • HIPAA and HITRUST compliance capabilities
  • • FedRAMP authorization
  • • 99.99% availability SLA
  • • Azure DDoS Protection and Security Center monitoring

Amazon Web Services (AWS)

AWS deployments provide equivalent enterprise security features:

  • • SOC 1, 2, and 3 compliance
  • • ISO 27001, 27017, and 27018 certifications
  • • FedRAMP High authorization
  • • HIPAA compliance capabilities
  • • AWS Shield DDoS protection
  • • AWS Security Hub and GuardDuty monitoring
  • • 99.99% availability SLA

Network Security (Both Platforms)

  • • DDoS protection and managed firewalls
  • • Network security groups and private endpoints
  • • Network isolation and segmentation
  • • Multiple availability zones for redundancy
  • • Security monitoring and threat detection

On-Premises Deployment

Infrastructure Requirements

  • • Dockerized services with minimal, security-hardened images
  • • Container runtime security monitoring
  • • Isolated execution environments
  • • Network segmentation and firewall controls
  • • Local encryption key management

Data Sovereignty

  • • Complete data residency within customer infrastructure
  • • No external data transmission to cloud AI providers (optional air-gapped mode)
  • • Customer-controlled backup and disaster recovery
  • • Local compliance with regional data protection regulations

Access Controls & User Management

Identity Management

  • • SSO integration via enterprise identity providers
  • • MFA enforcement for all administrative accounts
  • • Regular access reviews and automated deprovisioning
  • • Background checks for security-sensitive roles

Knowledge Isolation

  • • User-specific knowledge collections enforced by database RLS
  • • Organization-level tenant separation
  • • Project-scoped isolation (Chinese wall implementation)
  • • API isolation with user-context validation

Threat Protection & Monitoring

Security Monitoring

  • • 24/7 security monitoring and alerting
  • • Real-time threat detection and anomaly analysis
  • • Comprehensive logging and audit trails
  • • Monitoring for unauthorized access attempts
  • • Automated security testing in CI/CD pipelines

Incident Response

  • • Immediate containment and assessment procedures
  • • Rapid response team activation
  • • Stakeholder communication protocols
  • • Post-incident analysis and improvement
  • • Regulatory notification when required

Data Governance & Privacy

Data Minimization

We follow strict data minimization principles:

  • • Only store knowledge content explicitly uploaded to our service
  • • Basic account information managed by authentication provider
  • • Payment information securely managed by certified processors
  • • No storage of consumer personal data beyond service requirements

Privacy Rights Support

  • • Right to access your data
  • • Right to delete account and associated content
  • • Right to export your data in standard formats
  • • Right to opt-out of non-essential communications
  • • GDPR, CCPA, and regional privacy law compliance

Data Retention & Deletion

  • • Configurable data retention policies
  • • Secure deletion procedures with cryptographic verification
  • • Automated retention policy enforcement
  • • Audit trails for data lifecycle management

Compliance & Certifications

Current Certifications

  • • SOC 2 Type II compliance (inherited through Azure infrastructure)
  • • ISO 27001 compliance capabilities (inherited through Azure infrastructure)
  • • GDPR compliance framework (inherited through Azure infrastructure)

Certifications in Progress

  • • SOC 2 Type II certification for Meridian-specific controls
  • • HIPAA compliance for healthcare deployments for Meridian-specific controls
  • • GDPR for Meridian-specific controls

Third-Party Security

Vendor Management

  • • Security assessments and due diligence for all vendors
  • • Data processing agreements (DPAs) with all service providers
  • • Regular security certifications required
  • • Incident notification requirements
  • • Right to audit security controls

AI Provider Security

We partner only with AI providers maintaining:

  • • SOC 2 Type II compliance
  • • Enterprise-grade security certifications
  • • Regular security audits and assessments
  • • Data processing agreements with no model training on customer data

Business Continuity & Disaster Recovery

Backup & Recovery

  • • Automated daily backups with encryption
  • • Multi-region backup storage (cloud) or local redundancy (on-premises)
  • • Regular backup restoration testing
  • • Defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO)

Disaster Recovery

  • • Comprehensive disaster recovery plan
  • • Failover procedures and regular testing
  • • Communication plans for service disruptions
  • • High availability configurations

Deployment Options

Cloud Deployment

Azure or AWS Infrastructure

  • • Fully managed cloud infrastructure on your preferred platform
  • • Automatic security updates and patching
  • • Shared responsibility model with cloud provider
  • • Global availability with regional data residency options
  • • Customer choice of cloud provider based on existing infrastructure

On-Premises Deployment

  • • Complete customer control over infrastructure
  • • Air-gapped deployment options available
  • • Customer-managed security updates and patching
  • • Local compliance and data sovereignty
  • • Professional services support for implementation

Security Development Lifecycle

Secure Development Practices

  • • Security by design principles
  • • Regular security code reviews
  • • Static and dynamic application security testing (SAST/DAST)
  • • Dependency scanning for known vulnerabilities
  • • Threat modeling for new features

For detailed security implementation questions or compliance documentation, contact us at kn@trymeridian.dev