Security

Meridian is built so your data stays yours. No telemetry, no training, no exceptions.

Transport

All connections are HTTPS only. Plaintext HTTP is rejected at the edge. TLS 1.3 minimum.

Secrets

API keys and signing material live in environment variables, never in source code, config files, or client bundles.

Logging

We do not log keystrokes, prompts, or generated output. Request bodies are never persisted.

Training

Customer data is never used to train or fine-tune models. Your conversations are not our dataset.

Infrastructure

  • Keys encrypted at rest; decrypted only in-memory at request time.
  • Zero persistent storage of prompt/response pairs.
  • SOC 2 Type II environment; annual third-party penetration tests.
  • Session tokens are short-lived, httpOnly, SameSite strict.

Report a vulnerability

If you discover a security issue, email security@meridian.ai. We respond within 24 hours and do not pursue legal action against good-faith researchers.