Security overview

How Meridian protects your data, keys, and infrastructure at every layer — from transport to storage to compliance.

Transport security

All communication between your browser, our API, and upstream providers is encrypted in transit using TLS 1.3. We enforce HTTP Strict Transport Security (HSTS) with a long max-age and include subdomains, so browsers never downgrade to plain HTTP. Certificate transparency monitoring ensures no mis-issued certificates go undetected.

TLS 1.3 exclusively — no legacy cipher suites
HSTS preload-ready with includeSubDomains
Certificate Transparency logging enforced

Storage security

Environment variables and secrets are encrypted at rest using Vercel's envelope encryption and never logged or exposed in client bundles. No plaintext keys, tokens, or credentials appear in source code, build artifacts, or error traces. Access to production secrets requires multi-factor authentication and is audited.

Server-side envs encrypted at rest
Zero plaintext keys in source or build output
MFA-gated access to production secrets

Key management

API keys are stored as salted hashes in Redis — the raw key is never persisted after initial creation. Every key carries the sk-... prefix so you can identify them in logs and rotate them instantly from the dashboard. Rotation generates a new key and invalidates the old hash with zero downtime.

Salted hash storage — raw key shown once
sk-... prefix for easy identification
Instant rotation via dashboard — no code changes

Compliance & privacy

Meridian's data handling practices align with GDPR requirements: we process only the minimum data needed to operate the service, honor data subject requests within regulatory timelines, and maintain a Data Processing Agreement for customers who need one. Subprocessors are vetted and listed in our DPA.

GDPR-aligned data minimization
Data subject request handling within 30 days
DPA available for enterprise customers