Security & Data Protection

How Meridian protects research data.

EU-hosted infrastructure, encrypted storage and transport, audited subprocessors, and a documented incident-response posture. Plain language — no security theatre.

Last reviewed: 2026-05-15·Privacy Policy·AVG / GDPR·System Status

Encryption everywhere

TLS 1.3 in transit, AES-256 at rest. Database, object storage, and email transport all encrypted by default. No production traffic ever leaves a TLS-terminated edge.

EU-hosted core

Authentication, database, and event logs run in Supabase's Frankfurt region. Plausible analytics is EU-hosted. Cross-border processors disclosed below in the subprocessor list.

Strict auth boundaries

Supabase-issued JWTs with short rotations. Optional Google OAuth. Admin and Elite API surfaces require additional role checks server-side. Password resets are link-once, time-bounded.

Backups + retention

Daily Supabase backups with 7-day point-in-time recovery on the database. Object storage versioned. Local server logs rotated daily; persistent traces are JSONL-appended to disk + Supabase tables.

Network discipline

All backend endpoints rate-limited per IP and per user tier. Stripe webhooks signature-verified. CORS pinned to the configured frontend origin. No third-party scripts allowed outside Stripe and Plausible.

User data minimisation

We collect only what the product needs: email, hashed password (or OAuth ID), watchlist symbols, portfolio holdings, alert preferences. No third-party tracking, no behavioural ad pixels.

SP-01

Subprocessor list

8 vendors

Every third-party service that processes user data is listed here with purpose and region. Changes are versioned via this page's git history and surface on the canonical URL within the same business day. AVG/GDPR-eligible users can request a Data Processing Addendum at any time.

Vendor

Purpose

Region

Policy

Supabase

Authentication, database, file storage

EU (Frankfurt)

View

Stripe

Payment processing, subscription billing

Ireland · global

View

Vercel

Frontend hosting, edge CDN

Global edge · primary US/EU

View

Railway

Backend API + worker hosting

US-West / EU regions

View

Resend

Transactional email delivery

EU + US

View

Groq

LLM inference for daily briefings

View

Cloudflare Turnstile

Bot protection on contact form

Global

View

Plausible Analytics

Privacy-friendly pageview analytics (no cookies)

EU (Frankfurt)

View

CP-01

Compliance posture

AVG (Dutch GDPR)

Compliant — DPA available on request

GDPR (EU-wide)

Compliant — same data architecture, EU-hosted core

PCI DSS (cardholder data)

Out of scope — all card data handled by Stripe (PCI DSS Level 1)

SOC 2 Type II

Roadmap — Vanta / Drata onboarding planned alongside annual revenue milestone

ISO 27001

Roadmap — to follow SOC 2

Supervisory authority: Autoriteit Persoonsgegevens (Dutch Data Protection Authority).. KvK record: KvK registration number available on request..

IR-01

Incident response

Live status

First responder

Founder + on-call alert via configured channels.

Severity classification

P0 (auth/payments/data loss) · P1 (degraded service) · P2 (single-feature issue).

User notification SLA

P0 incidents disclosed in-app and via email within 24 hours, regardless of jurisdiction. AVG/GDPR-eligible breaches reported to Autoriteit Persoonsgegevens within 72 hours.

Post-mortem cadence

Published on the System Status page after every P0/P1.

Bug reports

Email privacy@meridianterminal.com with reproducible steps; acknowledgement within 48 hours.

RP-01

Found a vulnerability?

Email the desk privately. Acknowledgement within 48 hours, status updates every business day until resolved. Please don't open public GitHub issues for security topics.

Direct contact

privacy@meridianterminal.com

Open contact form