Security Architecture
Zero-Trust Authentication & Authorization
Multi-Layer Authentication
- • JWT-based authentication with RS256/ES256 verification against Supabase JWKS
- • JWKS caching with ETag and periodic refresh; supports automatic key rotation
- • Multi-factor authentication (MFA) required for all administrative access
- • OAuth 2.0 and OpenID Connect protocols for enterprise SSO integration
- • Session management with secure cookies (HttpOnly, Secure, SameSite)
Row-Level Security (RLS)
- • Database-level RLS enabled for all core tables (forms, templates, knowledge, profiles)
- • User-scoped data access enforcement via automated policies
- • Role-based access control (RBAC) with principle of least privilege
- • Granular permissions beyond ownership for organizational hierarchies
API Security
- • Configurable authentication requirements with request-level validation
- • Input validation via FastAPI/Pydantic schemas
- • Rate limiting and brute force protection
- • Strict CORS allowlist for trusted origins
- • Account lockout policies for suspicious activity
Data Protection & Encryption
Encryption Standards
Data at Rest
- • AES-256 encryption for all stored data
- • Database encryption with managed encryption keys
- • File storage encryption before cloud infrastructure storage
- • Separate encryption keys by data classification level
Data in Transit
- • TLS 1.3 for all data transmission between clients and servers
- • Certificate pinning for API clients
- • End-to-end encryption for sensitive knowledge transfers
- • Secure WebSocket configuration via reverse proxy
Knowledge Data Security
AI Model Security
- • Secure transmission of prompts to AI model providers
- • No permanent storage of sensitive data by model providers
- • Content filtering and safety measures
- • Isolation of user data across different model requests
- • Prompt injection protection and adversarial attack mitigation
Infrastructure Security
Multi-Cloud Deployment Support
Microsoft Azure
Our primary cloud platform inherits enterprise-grade security through Microsoft Azure:
- • SOC 1, 2, and 3 compliance
- • ISO 27001, 27017, and 27018 certifications
- • HIPAA and HITRUST compliance capabilities
- • FedRAMP authorization
- • 99.99% availability SLA
- • Azure DDoS Protection and Security Center monitoring
Amazon Web Services (AWS)
AWS deployments provide equivalent enterprise security features:
- • SOC 1, 2, and 3 compliance
- • ISO 27001, 27017, and 27018 certifications
- • FedRAMP High authorization
- • HIPAA compliance capabilities
- • AWS Shield DDoS protection
- • AWS Security Hub and GuardDuty monitoring
- • 99.99% availability SLA
Network Security (Both Platforms)
- • DDoS protection and managed firewalls
- • Network security groups and private endpoints
- • Network isolation and segmentation
- • Multiple availability zones for redundancy
- • Security monitoring and threat detection
On-Premises Deployment
Infrastructure Requirements
- • Dockerized services with minimal, security-hardened images
- • Container runtime security monitoring
- • Isolated execution environments
- • Network segmentation and firewall controls
- • Local encryption key management
Data Sovereignty
- • Complete data residency within customer infrastructure
- • No external data transmission to cloud AI providers (optional air-gapped mode)
- • Customer-controlled backup and disaster recovery
- • Local compliance with regional data protection regulations
Access Controls & User Management
Identity Management
- • SSO integration via enterprise identity providers
- • MFA enforcement for all administrative accounts
- • Regular access reviews and automated deprovisioning
- • Background checks for security-sensitive roles
Knowledge Isolation
- • User-specific knowledge collections enforced by database RLS
- • Organization-level tenant separation
- • Project-scoped isolation (Chinese wall implementation)
- • API isolation with user-context validation
Threat Protection & Monitoring
Security Monitoring
- • 24/7 security monitoring and alerting
- • Real-time threat detection and anomaly analysis
- • Comprehensive logging and audit trails
- • Monitoring for unauthorized access attempts
- • Automated security testing in CI/CD pipelines
Incident Response
- • Immediate containment and assessment procedures
- • Rapid response team activation
- • Stakeholder communication protocols
- • Post-incident analysis and improvement
- • Regulatory notification when required
Data Governance & Privacy
Data Minimization
We follow strict data minimization principles:
- • Only store knowledge content explicitly uploaded to our service
- • Basic account information managed by authentication provider
- • Payment information securely managed by certified processors
- • No storage of consumer personal data beyond service requirements
Privacy Rights Support
- • Right to access your data
- • Right to delete account and associated content
- • Right to export your data in standard formats
- • Right to opt-out of non-essential communications
- • GDPR, CCPA, and regional privacy law compliance
Data Retention & Deletion
- • Configurable data retention policies
- • Secure deletion procedures with cryptographic verification
- • Automated retention policy enforcement
- • Audit trails for data lifecycle management
Compliance & Certifications
Current Certifications
- • SOC 2 Type II compliance (inherited through Azure infrastructure)
- • ISO 27001 compliance capabilities (inherited through Azure infrastructure)
- • GDPR compliance framework (inherited through Azure infrastructure)
Certifications in Progress
- • SOC 2 Type II certification for Meridian-specific controls
- • HIPAA compliance for healthcare deployments for Meridian-specific controls
- • GDPR for Meridian-specific controls
Third-Party Security
Vendor Management
- • Security assessments and due diligence for all vendors
- • Data processing agreements (DPAs) with all service providers
- • Regular security certifications required
- • Incident notification requirements
- • Right to audit security controls
AI Provider Security
We partner only with AI providers maintaining:
- • SOC 2 Type II compliance
- • Enterprise-grade security certifications
- • Regular security audits and assessments
- • Data processing agreements with no model training on customer data
Business Continuity & Disaster Recovery
Backup & Recovery
- • Automated daily backups with encryption
- • Multi-region backup storage (cloud) or local redundancy (on-premises)
- • Regular backup restoration testing
- • Defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO)
Disaster Recovery
- • Comprehensive disaster recovery plan
- • Failover procedures and regular testing
- • Communication plans for service disruptions
- • High availability configurations
Deployment Options
Cloud Deployment
Azure or AWS Infrastructure
- • Fully managed cloud infrastructure on your preferred platform
- • Automatic security updates and patching
- • Shared responsibility model with cloud provider
- • Global availability with regional data residency options
- • Customer choice of cloud provider based on existing infrastructure
On-Premises Deployment
- • Complete customer control over infrastructure
- • Air-gapped deployment options available
- • Customer-managed security updates and patching
- • Local compliance and data sovereignty
- • Professional services support for implementation
Security Development Lifecycle
Secure Development Practices
- • Security by design principles
- • Regular security code reviews
- • Static and dynamic application security testing (SAST/DAST)
- • Dependency scanning for known vulnerabilities
- • Threat modeling for new features
For detailed security implementation questions or compliance documentation, contact our security team at kn@trymeridian.dev