Security, privacy, compliance
Data handling
Client data lives in encrypted-at-rest databases (AES-256), TLS 1.3 in transit, with row-level access controls scoped per engagement. We do not aggregate client data across portfolios. Backups are encrypted and retained for 90 days then destroyed.
Security controls
All staff hardware is enrolled in MDM with full-disk encryption and remote-wipe. Production deploy keys are stored in HSM-backed secrets management. Two-factor authentication is mandatory on every system. Quarterly access reviews are documented.
GDPR + UK GDPR
MeridianWeb Ltd is registered with the ICO (registration ZB 542 198). DPAs are available for every engagement. Data subject access requests are processed within the 30-day statutory window. We do not transfer personal data outside the UK/EU without explicit safeguards.
ISO 27001 alignment
Our internal controls map to ISO 27001 Annex A. We are working towards certification (target Q3 2026). Current scope: information classification, access control, cryptography, incident management, supplier security.
Subprocessors
Vercel (hosting), Cloudflare (CDN + DDoS), GitHub (source control), Resend (transactional email), Stripe (payments), Google Workspace (productivity). A current subprocessor list is available on request — security@meridianweb.co.uk.
Incident response
Security incidents are triaged within 4 hours of detection. Affected clients are notified within 24 hours unless the incident impacts <10 records, in which case within 72 hours. Post-incident reports include root cause, remediation, and prevention.
Vulnerability disclosure
Report vulnerabilities to security@meridianweb.co.uk. We acknowledge within 24 hours, triage within 72 hours, and credit disclosing researchers in the changelog where requested.