1. Our Approach
The applications we are building serve regulated industries — healthcare, finance, construction, government. Security in those domains is not a feature to bolt on later; it shapes architecture from the first commit. Our working principles:
- Collect the minimum. We ask for the least information needed to do the job — today, that is a contact form.
- Encrypt by default. Data is encrypted in transit (TLS) everywhere we operate, and at rest on the platforms we build on.
- Least privilege. Access to systems and data is limited to the people who need it, for as long as they need it.
- Honest claims only. We state what is true now and what is planned — and label which is which.
2. This Website
meridian44.com is a static marketing site. It has no user accounts, no logins, and no payment processing.
- Served exclusively over HTTPS with HTTP Strict Transport Security (HSTS) enabled.
- Security headers are set on every response, including X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy.
- The only personal data this site handles is what you submit through the contact form. Submissions are transmitted over HTTPS to our lead-management system so we can respond. See the Privacy Policy for details.
- No analytics or tracking scripts run on this site.
3. Infrastructure
We build on established cloud providers rather than operating our own data centers.
- This website is hosted on Vercel; application development uses major cloud platforms (AWS and Google Cloud). These providers maintain their own independently audited certifications (SOC 2, ISO 27001) for the underlying infrastructure.
- Provider certifications cover the infrastructure layer, not our applications. Application-level certification is on our roadmap (see section 5) — we do not claim it before it is earned.
- Data in transit is protected with TLS; data at rest uses the providers' encryption (AES-256).
4. Security During the Building Phase
As applications move through development with founding contributors:
- Development, staging, and production environments are separated.
- Access to code and infrastructure requires multi-factor authentication and is granted per person, per system.
- Contributor knowledge and attribution records are treated as confidential and shared only with the people working on the relevant industry application.
- Industry-specific requirements (HIPAA for healthcare, GLBA for finance, CJIS for government work, and others) are designed into each application from the start, because the domain experts building with us work under those regimes every day.
5. Certifications Roadmap
We do not currently hold application-level security certifications, and we will not claim any until an independent auditor says we have earned them. As applications approach production use in regulated industries, we plan to pursue the certifications those industries require — SOC 2 for the platform, plus industry-specific attestations (for example, HIPAA compliance for healthcare applications).
When a certification is achieved, this page will say so, with dates.
6. Responsible Disclosure
We welcome reports from security researchers. If you discover a potential security vulnerability in this website or any Meridian 44 system, please report it to security@meridian44.com. We commit to:
- Acknowledging reports promptly
- Keeping you informed as we investigate and remediate
- Not pursuing legal action against good-faith researchers
Contact
For security questions, contact security@meridian44.com or use our Contact page.
Meridian 44