Encrypted at rest and in transit
TLS 1.2+ for every connection. AES-256 at rest for every datastore. Customer secrets are encrypted with per-tenant keys derived from the platform KEK and never written in plaintext.
Security
We treat your data
like our own.
MeAndAI is the operations spine of a real luxury hospitality association. Our customers trust the platform with payment data, partner contracts, and high-net-worth guest profiles. That sets the bar for everyone else who joins.
Tenant isolation by default
Every data access is scoped to a tenant ID at query time. Middleware rejects any request without a resolved tenant context. Cross-tenant access is structurally impossible — there is no path through the API that ignores tenancy.
Least-privilege access
Engineers don't have standing access to customer data. Production access is short-lived, audited, and only granted in response to a customer-raised support case or a paged incident.
Full audit log
Every action a pod takes (or attempts) is logged with the actor, the entity, the prompt, the response, and the timestamp. The full log is downloadable from the dashboard. It survives account deletion for the regulatory minimum, then anonymises.
SOC 2 in flight
Type II audit scoped for late 2026. We follow CIS benchmarks for our cloud configuration today, and the control framework is already built — the audit is the formal sign-off, not the change.
Continuous patching
Dependencies pinned, scanned, and rotated weekly via automated PRs. Base images SHA-pinned; no untrusted upstream tags. Critical CVEs are patched within 24 hours; high within 7 days.
Found something? Tell us.
We treat vulnerability reports seriously. We won’t chase you off our property for poking at it responsibly.
Coordinated disclosure
Email security@meandai.io with reproduction steps. We acknowledge within 1 business day, triage within 3, and target a fix in production within the timelines on our SLA page. We’ll credit you publicly once the fix ships, if you want.
PGP key for encrypted reports: C0FE A111 5EC9 CAFE (full key on the security page once published).
Working with security researchers
We publish four dedicated pages so security researchers and customers can quickly find the policy, the program, the history, and the credits.
Responsible disclosure
How to report. Acknowledgement in 72h. Safe-harbour language. PGP key.
Bug bounty
Severity-based EUR rewards via Intigriti. Currently invite-only.
Incident history
Quarterly public summary of fixes. No reproducers, no attacker hints.
Hall of fame
Researchers who’ve helped us stay secure (with their consent).
Want the deep dive?
We share the security architecture document, sub-processor list, and pen-test summary with prospects under NDA.