Trust & Security

How Meridian Vega treats your data, your network, and your security review. Direct answers to the questions every responsible buyer asks.

How we operate

Six principles that govern how Meridian Vega builds, ships, and supports software.

Your data stays where it lives

On-premises and air-gapped deployment is supported as a first-class option, not a configuration toggle. Air-gapped installations run with no outbound network calls. Indexes, embeddings, and generated artifacts stay on the customer’s disk — Meridian Vega does not retain copies.

Software you can verify

All Meridian Vega software is proprietary and licensed under a standard end-user license agreement, delivered with each product and available before purchase. Third-party dependencies are disclosed in each product’s NOTICE file. Installers and binaries are signed where the host platform supports verification.

Customer-controlled credentials

Provider keys and other secrets are stored in the OS keystore (DPAPI on Windows, Keychain on macOS, libsecret on Linux), not in environment files. No telemetry by default. Where opt-in telemetry exists, it’s off until the operator turns it on, and what gets recorded is documented per product.

Operational discipline

Security inquiries: 4 business hours. Sales and procurement: 1 business day. Support: 1 business day for paid products; best-effort for free tools. Critical security advisories are issued before public disclosure to enterprise customers under NDA.

Compliance posture

Meridian Vega builds toward the practices required by SOC 2, HIPAA, FedRAMP, and CMMC. Specific certifications are pursued as customer requirements lock in. We will not claim a certification we don’t hold. If a particular framework matters to your procurement, ask — we’ll tell you exactly where we are against it and what the path looks like.

Reporting a security issue

Vulnerability reports go to security@meridianvega.com. Acknowledged within 4 business hours. We work with reporters in good faith on a coordinated timeline, with no legal threats for honest disclosure. Credit given in advisories at the reporter’s preference.

What we don’t do

Commitments that hold regardless of contract.

No customer data sold, syndicated, or used for advertising.

No model training on customer prompts, documents, or telemetry.

No third-party trackers on the website beyond what is technically required for the form submission service.

No surveillance, lawful-intercept, or backdoor capability built into Meridian Vega products. We’ll decline contracts that ask us to.

Need a security questionnaire response?

Procurement-ready answers, on the timeline above. Send us what your security team needs and we’ll route it to the right inbox.

Talk to us