Encrypted at rest and in transit
Designed so every connection uses TLS 1.2+ and every datastore is AES-256 at rest, with customer secrets encrypted under per-tenant keys derived from the platform KEK — never written in plaintext.
Security
We treat your data
like our own.
meandai is being built as the operations spine of a luxury hospitality association. At launch it will handle payment data, partner contracts, and high-net-worth guest profiles — so we’re designing to that bar from day one.
Tenant isolation by default
Every data access is scoped to a tenant ID at query time. Middleware rejects any request without a resolved tenant context. Cross-tenant access is structurally impossible — there is no path through the API that ignores tenancy.
Least-privilege access
Engineers won't have standing access to customer data. Production access will be short-lived, audited, and only granted in response to a support request or a paged incident.
Full audit log
Every action an agent takes (or attempts) will be logged with the actor, the entity, the prompt, the response, and the timestamp — downloadable from the dashboard. Logs survive account deletion for the regulatory minimum, then anonymise.
SOC 2 in flight
Type II audit scoped for late 2026. We're building to CIS benchmarks for our cloud configuration, and the control framework is part of the design — the audit will be the formal sign-off, not a retrofit.
Continuous patching
Dependencies pinned, scanned, and rotated weekly via automated PRs. Base images SHA-pinned; no untrusted upstream tags. Critical CVEs are patched within 24 hours; high within 7 days.
Found something? Tell us.
We treat vulnerability reports seriously. We won’t chase you off our property for poking at it responsibly.
Coordinated disclosure
Email security@meandai.io with reproduction steps. We acknowledge within 1 business day, triage within 3, and target a fix within the timelines on our SLA page. We’ll credit you publicly once the fix ships, if you want.
PGP key for encrypted reports: C0FE A111 5EC9 CAFE (full key on the security page once published).
Working with security researchers
We publish four dedicated pages so security researchers and customers can quickly find the policy, the program, the history, and the credits.
Responsible disclosure
How to report. Acknowledgement in 72h. Safe-harbour language. PGP key.
Bug bounty
Severity-based EUR rewards via Intigriti. Currently invite-only.
Incident history
Quarterly public summary of fixes. No reproducers, no attacker hints.
Hall of fame
Researchers who’ve helped us stay secure (with their consent).
Want the deep dive?
We share the security architecture document, sub-processor list, and pen-test summary with prospects under NDA.