Decision-grade Market IntelligenceAny market · any geography

Layers Companies Methodology Pricing About Contact

SecurityLast reviewed 2026-04-27

Built to publish under scrutiny.

Independent research is only credible if the surface that delivers it is hard to compromise. The controls below describe how Meridian Consensus protects accounts, reports, and customer data, and where to send a security report.

Transport

TLS 1.3

Strict transport security; no insecure fallbacks.

Authentication

Clerk-managed

Hosted identity. Passwords never touch our servers.

At-rest encryption

AES-256

Database and object-store encryption by default.

Region

US (Vercel · Neon)

Cross-border transfer covered by SCCs.

Application security

The runtime is built on a managed platform with a hardened request path. Every page renders behind HTTPS-only routing with security headers set globally.

TLS 1.3 enforced site-wide; HTTP automatically upgraded.
Strict CSP and frame-ancestor restrictions on all routes.
CSRF protection and same-origin checks on state-changing requests.
Server actions and webhook signatures verified before any database write.

Authentication & accounts

Identity is delegated to Clerk, an SOC 2 Type II authentication provider. Passwords never reach the application server.

Email + password, plus passkey and SSO support out of the box.
MFA available on every account; required on the unlimited tier.
Sessions short-lived and bound to device fingerprints; rotation on privilege escalation.
Login history surfaced inside the account hub at /account/security.

Data protection

Customer data is segregated by row-level tenancy. Backups are continuous, encrypted, and retained on a separate provider account.

Database encryption at rest (AES-256) on the Neon Postgres tier.
Object storage (Vercel Blob) inherits TLS-only, signed-URL access for exports.
Daily automated backups with seven-day point-in-time recovery on the primary cluster.
Subprocessors named on the privacy page; no third-party advertising trackers.

Access control & privilege

Internal access is least-privilege by default. Production access requires SSO + MFA, scoped per role, and is revoked on role change.

No shared credentials. All production access is identity-bound and audit-logged.
Admin actions (refunds, entitlement grants, impersonation) write to an immutable audit ledger.
Engineering access to customer data limited to incident response and never used for analytics.
Quarterly access review for all production roles.

Monitoring & incident response

Health and error telemetry stream to Sentry; uptime is checked from independent regions. A documented incident-response runbook governs every Sev-2-or-higher event.

Public health endpoint at /api/health for uptime monitors.
Error tracker captures exceptions with redacted PII and per-deployment digests.
Sev-2 incidents acknowledged within 30 minutes during business hours; one-hour overnight.
Customer-affecting incidents publicly post-mortemed within five business days.

Compliance posture

We adopt the controls expected of an SOC 2-aligned environment. A formal report is in scope; current posture and stage are available to enterprise buyers under NDA.

Engineered to SOC 2 control families (security, availability, confidentiality).
Privacy practices align with GDPR; standard-contractual-clause-backed transfers.
Subprocessor list maintained on the privacy page and updated within thirty days of change.
DPA available on request for enterprise contracts.

Responsible disclosure

Independent security researchers are welcome. We commit to acknowledge reports within one business day and to keep researchers informed through resolution.

In-scope: meridianconsensus.com and the application at www.meridianconsensus.com.
Out-of-scope: subprocessor-owned services (file separately with the provider).
Test against your own account only; never against another customer's data.
Email security@meridianconsensus.com, encrypt with our PGP key on request.

Found a vulnerability?

Disclose responsibly. We acknowledge within one business day.

Send a writeup with reproduction steps to security@meridianconsensus.com. We do not pursue legal action against good-faith researchers operating within scope.

Email security

Frequent enterprise questions

On compliance & posture.

01Are you SOC 2 certified?

Not yet. The environment is engineered to SOC 2 control families and a formal report is on the roadmap. Current posture, evidence, and stage are shared with enterprise prospects under NDA on request.

02Where is data hosted?

Primary infrastructure runs on Vercel and Neon in US data centers. Cross-border transfer for non-US customers is covered by standard contractual clauses between processor and upstream providers.

03Will you sign a DPA?

Yes. A standard data-processing addendum is available for enterprise customers. Email sales@meridianconsensus.com with your legal contact and we'll have a draft back within one business day.

04Do you train AI models on customer prompts or briefs?

No. Inference providers operate under a no-retention-for-training agreement. Commission briefs and account data are stored only inside the customer's tenant.

On compliance & posture.

01Are you SOC 2 certified?

Not yet. The environment is engineered to SOC 2 control families and a formal report is on the roadmap. Current posture, evidence, and stage are shared with enterprise prospects under NDA on request.

02Where is data hosted?

Primary infrastructure runs on Vercel and Neon in US data centers. Cross-border transfer for non-US customers is covered by standard contractual clauses between processor and upstream providers.

03Will you sign a DPA?

Yes. A standard data-processing addendum is available for enterprise customers. Email sales@meridianconsensus.com with your legal contact and we'll have a draft back within one business day.

04Do you train AI models on customer prompts or briefs?

No. Inference providers operate under a no-retention-for-training agreement. Commission briefs and account data are stored only inside the customer's tenant.