Security & Data Practices
Meridian is built for the most regulated industry in America. Security, privacy, and compliance are not afterthoughts — they are the foundation.
Hosted on Vercel's enterprise edge network with 99.99% uptime SLA. All traffic encrypted with TLS 1.3. Application deployed across multiple availability zones with automatic failover. Database hosted on Supabase with daily automated backups and point-in-time recovery.
User and transaction data stored in Supabase PostgreSQL with row-level security. All data encrypted at rest using AES-256 encryption. Database connections secured via connection pooling with SSL enforcement. No data is stored in plaintext.
MLS listing data is retrieved in real time via licensed API connections with authorized Multiple Listing Services. Listing data is not persistently stored in our database — we cache responses in memory only, with no long-term retention of MLS records. All display complies with applicable MLS IDX and VOW rules, including proper attribution and data refresh requirements.
Role-based access control with tenant isolation. Each agent's data is stored within their own tenant boundary. No cross-tenant data access is possible at the application or database level. Administrative access is restricted and logged.
Client documents stored in Supabase Storage with bucket-level access policies. All document access is via signed URLs with 15-minute expiry. No permanent public URLs are generated for sensitive documents. File uploads restricted by type and size.
Powered by Supabase Auth with bcrypt password hashing, Google OAuth 2.0, and magic link email authentication. Sessions are JWT-based with configurable expiry (default 30 days). Multi-factor authentication support available.
RESPA co-marketing engine with CFPB-ready audit trails — every partnership action is immutably logged. TCPA-compliant SMS messaging with A2P 10DLC registration and opt-out tracking. Wire fraud protection built into all client portal communications with keyword blocking for banking terms.
All payment processing handled by Stripe. Meridian never stores credit card numbers, CVVs, or full card details. PCI DSS compliance is maintained through Stripe's certified infrastructure.
If you discover a security vulnerability, please contact us immediately at jared@osmeridian.com. We take all reports seriously and will respond within 24 hours.