Audit-ready by design, trusted by default
Meridian is built so advisory firms stay audit-ready with calm, transparent controls — encryption, least-privilege access, and signed receipts woven into every action rather than bolted on afterward.
Four commitments behind every control
These principles shape how Meridian is designed, from the data model to the audit trail.
Audit-ready by design
Every meaningful action is intended to leave a signed receipt, so an exam or internal review starts from evidence, not reconstruction.
Least-privilege access
Roles, scopes, and approvals are designed so people and services see only what their job requires, and nothing more.
Explainability by default
Automated decisions are paired with a plain-language rationale and the inputs behind them, so any recommendation can be defended.
Data you control
Your firm's data stays yours. Retention, export, and deletion are designed as first-class, customer-controlled operations.
Trust built into every action
The day-to-day controls that keep advisors, operations, and compliance teams working from the same evidence.
Audit receipts
Every action generates a receipt with hash, timestamp, actor, and rationale.
Decision logging
Rules-first decisions are logged alongside advisor approvals and notes.
Immutable archival concept
Tamper-evident document storage and retrieval is a core design goal of the architecture.
Role-based access
Role-scoped access controls with escalation routing and human review.
Explainability by default
Every automation includes explainability records for advisors and clients.
Human escalation
Compliance triggers route to humans with confidence labels and evidence.
Designed around the standards you answer to
Meridian's architecture is intended to support the frameworks advisory firms are measured against. These are design intents for this illustrative demo, not achieved certifications.
SOC 2-aligned controls
The control environment is designed around the SOC 2 Trust Services Criteria for security, availability, and confidentiality.
GDPR / CCPA-minded handling
Data flows are architected with privacy regulations in mind, including lawful basis, minimization, and subject-rights workflows.
SEC / FINRA-aware recordkeeping
Audit receipts and archival are intended to support the books-and-records and supervision expectations advisory firms face.
Aligned to NIST CSF
Security practices map to the NIST Cybersecurity Framework functions: identify, protect, detect, respond, and recover.
Encrypted, isolated, recoverable
How Meridian is designed to protect data at every layer, from the wire to the backup.
Encryption in transit
Traffic is designed to be served exclusively over modern TLS, with strong cipher suites and HSTS.
Encryption at rest
Stored data and backups are intended to be encrypted at rest using industry-standard symmetric encryption.
Key management
Keys are designed to be managed through a dedicated key-management service with rotation and scoped access.
Tenant isolation
Each firm's data is logically isolated, with access boundaries enforced at the application and data layers.
Secure backups
Encrypted, regularly tested backups are part of the architecture so data can be recovered without compromise.
Minimized footprint
Only the data needed to operate the service is collected, reducing the surface area that has to be protected.
Only the right people, only what they need
Identity and access are designed to be tightly scoped, fully auditable, and default-deny.
Role-based access control
Permissions are scoped to roles such as advisor, operations, and compliance, with approvals on sensitive actions.
SSO / SAML & SCIM (planned)
Enterprise SSO via SAML and automated provisioning via SCIM are on the roadmap for centralized identity control.
Least privilege
Default-deny access means people and services start with nothing and are granted only what they need.
Session controls
Session lifetimes, re-authentication, and revocation are designed to keep active access tightly bounded.
Audit of access
Grants, role changes, and privileged actions are recorded so who-saw-what is always answerable.
Separation of duties
High-impact workflows are designed to require a second set of eyes before they take effect.
Evidence, not reconstruction
Meridian is designed to turn everyday activity into defensible, exportable records.
Immutable audit receipts
Each meaningful action is intended to produce a receipt carrying a content hash, timestamp, actor, and rationale.
Tamper-evident logs
Receipts are designed to be chained so any after-the-fact modification is detectable, not silent.
Explainability records
Automated decisions carry the inputs and rationale behind them, so any recommendation can be explained and defended.
Exportable audit packs
Bundle receipts, decision logs, and explainability records into a single pack for an exam or internal review.
See exactly what Meridian stores
Export a sample pack to see the data Meridian stores for every action — hashes, timestamps, actors, and the rationale behind each decision.
Built to stay up and recover fast
Resilience is treated as a control, designed into operations and the infrastructure beneath them.
Availability target
The platform is architected toward a 99.9% availability objective for production services.
Disaster recovery
Backups and recovery runbooks are intended to restore service within defined RPO and RTO windows.
Monitoring
Health, performance, and security signals are designed to be observed continuously with alerting.
Change management
Reviewed, version-controlled, and reversible changes are part of how the service is meant to evolve.
Your data, on your terms
Privacy is designed as a default, with ownership, retention, and residency under your firm's control.
Data ownership
Your firm and your clients own your data. Meridian acts as a processor operating on your instructions.
Retention & deletion
Configurable retention windows and verifiable deletion are designed as standard, customer-controlled operations.
Sub-processors
A maintained sub-processor list with due-diligence is intended so you always know who touches your data.
Data residency options
Region-aware storage is on the roadmap so data can be kept within a chosen jurisdiction.
Prepared for the bad day
A clear path to report, detect, and remediate — designed so issues are handled openly and quickly.
Responsible disclosure
Security researchers and customers can report issues to security@meridian.demo. The intent is to acknowledge promptly and coordinate a fix.
Continuous monitoring
Security signals and dependency advisories are designed to be watched continuously, with alerting on anomalies and known vulnerabilities.
Patch cadence
Vulnerabilities are triaged by severity, with a defined remediation cadence so critical fixes ship on an expedited timeline.
Questions security teams ask
Straight answers to the questions that come up in every vendor review.
Where is my data stored?
Data is designed to be hosted with established cloud infrastructure providers in a defined region, encrypted at rest and isolated per tenant. Region-aware residency options are on the roadmap so firms can keep data within a chosen jurisdiction.
Do you use my data to train models?
No. Your firm's and clients' data is not used to train shared or third-party models. Automation runs against your data to serve you, and explainability records show exactly what informed each decision.
Can we use SSO?
Enterprise SSO via SAML, along with SCIM for automated user provisioning and de-provisioning, is planned so identity and access can be managed centrally through your existing identity provider.
Do you support audits and exams?
Yes, that is a core design goal. Exportable audit packs bundle signed receipts, decision logs, and explainability records so an internal review, external audit, or regulatory exam starts from organized evidence.
How is access controlled?
Access is role-based and least-privilege by design, with approvals on sensitive actions, separation of duties on high-impact workflows, session controls, and an audit trail of every grant and privileged action.
What about data deletion?
Retention windows are configurable, and deletion is designed as a verifiable, customer-controlled operation. On offboarding, your data can be exported and then removed within a defined window.
Have a security or vendor-review question?
Our team is happy to walk through controls, share documentation, or complete your questionnaire. Or jump straight into the interactive demo.
Meridian — WealthOS is an illustrative demo. The security architecture, controls, and framework alignments described here represent design intent and aspirational goals, not achieved or independently verified certifications. References to SOC 2, GDPR, CCPA, SEC, FINRA, and NIST CSF describe the standards the product is designed to support and should not be read as compliance attestations.