Enterprise-grade security

Your data is the foundation of your marketing strategy. We treat its security with the seriousness it deserves.

Certifications & Compliance

SOC 2 Type II

Independently audited and certified for security, availability, and confidentiality controls. Our most recent audit was completed in November 2023.

GDPR Compliant

Full compliance with the EU General Data Protection Regulation. Data Processing Agreements available for all customers. EU data residency option on Enterprise plans.

CCPA Compliant

We comply with the California Consumer Privacy Act, including data access, deletion, and opt-out rights for California residents.

How we protect your data

Encryption at Rest

All customer data is encrypted at rest using AES-256 encryption. Database backups and stored files are encrypted with keys managed through AWS KMS with automatic key rotation.

Encryption in Transit

All data transmitted between your browser and our servers is encrypted using TLS 1.3. We enforce HTTPS across all endpoints and support HSTS with preloading.

SSO & SAML

Enterprise plans include single sign-on support via SAML 2.0. Integrate with Okta, Azure AD, OneLogin, Google Workspace, and other identity providers.

Audit Logs

Comprehensive audit logging for all account activity, including logins, data exports, configuration changes, and API access. Logs are retained for 12 months and exportable.

Role-Based Access Control

Granular permissions system with predefined roles (Admin, Editor, Viewer) and custom roles. Control who can view, edit, or export data across your organization.

Penetration Testing

Annual third-party penetration testing by independent security firms. We also run a continuous bug bounty program for responsible vulnerability disclosure.

Infrastructure Security

  • Cloud Hosting: Meridian is hosted on Amazon Web Services (AWS) in us-east-1 and eu-west-1 regions. AWS maintains SOC 1/2/3, ISO 27001, and FedRAMP certifications.
  • Network Security: All production systems are isolated in private VPCs with strict security group rules. WAF protection is enabled for all public-facing endpoints.
  • Backup & Recovery: Automated daily backups with point-in-time recovery. Backups are encrypted and stored in a separate AWS region. Recovery time objective (RTO) under 4 hours.
  • Monitoring: 24/7 infrastructure monitoring with automated alerting. Security events are centrally logged and monitored with anomaly detection.
  • Incident Response: Documented incident response plan with defined escalation procedures. All security incidents are communicated to affected customers within 72 hours.

Security Report

Download our comprehensive security whitepaper, including our SOC 2 Type II summary report, architecture overview, and compliance details.

Download Security Report

Have security questions?

Our security team is happy to answer questions, provide additional documentation, or discuss your specific compliance requirements.

Contact Security Team