Security

Your data. Your control.

Meridian is built for organisations that take data security seriously. Australian-hosted, fully encrypted, and designed to meet the compliance requirements of energy and resources companies.

Security infrastructure

Enterprise-grade security, built in from day one

Every layer of Meridian is designed to protect your data, meet regulatory requirements, and give your security team confidence.

AWS Sydney

Data Residency

Hosted in Australia on AWS Sydney (ap-southeast-2). Your data never leaves Australian jurisdiction unless you explicitly choose otherwise. We support data sovereignty requirements for government and regulated entities.

AES-256 + TLS 1.3

Encryption

AES-256 encryption at rest for all stored data, including backups and database snapshots. TLS 1.3 enforced for all data in transit. No unencrypted connections are permitted at any layer of the stack.

RBAC

Access Control

Role-based access control (RBAC) with granular permissions at workspace, project, and scenario level. Enforce least-privilege access, manage team roles, and control who can view, edit, or approve economic models.

Full Logging

Audit Trail

Every action is logged with a timestamp, user identity, and change detail. Know who changed what, when, and why. Audit logs are immutable and retained for the life of your subscription plus 12 months.

30-Day Retention

Backup & Recovery

Daily automated backups with 30-day retention. Point-in-time recovery available within the retention window. Backups are encrypted and stored in a geographically separate AWS availability zone within Australia.

Target: Q4 2026

SOC 2 Type II

We are actively pursuing SOC 2 Type II certification with a target completion date of Q4 2026. Our security programme is built around the trust services criteria of security, availability, and confidentiality.

Compliance

Compliance roadmap

Our security programme is structured around a clear roadmap towards SOC 2 Type II certification.

Infrastructure Security Baseline

Completed

AWS Well-Architected review, VPC isolation, security group hardening, and IAM policy enforcement.

Q4 2025

Encryption & Access Controls

Completed

AES-256 at rest, TLS 1.3 in transit, RBAC implementation, and MFA enforcement for all accounts.

Q1 2026

Audit & Logging Framework

In Progress

Immutable audit trail, centralised log management, and automated alerting for security events.

Q2 2026

Penetration Testing

Planned

Third-party penetration test conducted by an accredited Australian security firm. Remediation of any findings.

Q3 2026

SOC 2 Type II Certification

Planned

Formal audit by an independent CPA firm covering security, availability, and confidentiality trust services criteria.

Q4 2026

Authentication

  • Multi-factor authentication (MFA)
  • SSO via SAML 2.0 and OIDC
  • Password complexity enforcement
  • Session timeout controls

Network Security

  • VPC isolation with private subnets
  • Web Application Firewall (WAF)
  • DDoS protection via AWS Shield
  • IP allowlisting available

Data Handling

  • Data classification framework
  • Automated PII detection
  • Data retention policies
  • Secure data deletion on termination

Questions about security?

Our team is happy to walk through our security architecture, compliance programme, and data handling practices. We can also complete your vendor security questionnaire.

Contact Security TeamRequest a Demo