Trust center

Security

Meridian Spend security practices are designed for procurement and finance teams that need controlled access, durable audit evidence, secure integrations, and clear customer assurance materials.

Last updated
February 3, 2026
Applies to
Meridian Spend platform, infrastructure, personnel, and customer support operations

In summary

  • Security controls cover identity, application security, infrastructure, incident response, vulnerability management, and customer assurance.
  • The platform supports SSO, MFA, role-based access, audit logs, encryption, and customer-facing security review materials.
  • Customers can report security issues to security@meridianspend.com.

Security governance

Meridian maintains a security program with assigned ownership across engineering, operations, support, and executive leadership.

Policies cover access management, data handling, secure development, incident response, vendor review, business continuity, and employee responsibilities.

  • Security policies are reviewed on a regular cadence.
  • Employees complete security and privacy training during onboarding and periodically thereafter.
  • Material control changes are tracked through internal governance workflows.

Compliance and customer assurance

Meridian maintains customer-facing assurance materials intended to support vendor security review, procurement review, and audit preparation.

Available materials may include security overview documentation, architecture summaries, subprocessors, insurance summaries, penetration test attestations, and SOC 2 Type II report access under NDA.

  • Security questionnaires are handled through the sales or customer success process.
  • Customer-specific commitments are documented in applicable order forms or security addenda.
  • Control evidence is reviewed before being shared externally.

Identity and access management

Meridian uses least-privilege access practices for production systems and supports customer controls for workspace access.

Customer administrators can configure SSO, MFA expectations, roles, and approval authority according to their internal policies.

  • Production access is restricted to authorized personnel with business need.
  • Privileged access is logged and reviewed.
  • Customer workspace actions are recorded in audit logs where supported by the product.

Application security

Engineering workflows include code review, dependency review, automated checks, threat-informed design discussion, and production change controls.

The product is designed to keep tenant data logically separated and to enforce authorization checks across workspace boundaries.

  • Security-sensitive changes receive additional review.
  • Authentication, authorization, upload, export, and integration paths are treated as high-risk areas.
  • Application logs support investigation while limiting unnecessary exposure of customer content.

Data protection

Customer data is encrypted in transit using TLS and encrypted at rest using infrastructure-managed encryption capabilities.

Data access is limited by role, business need, technical controls, and operational logging.

  • Secrets are managed through controlled deployment mechanisms.
  • Backups are protected and retained according to backup lifecycle schedules.
  • Customer exports are available through administrator-controlled product workflows.

Infrastructure security

Meridian hosts production services in managed cloud environments with network segmentation, centralized logging, monitored services, and hardened deployment practices.

Infrastructure changes are reviewed and deployed through controlled release processes.

  • Production systems are separated from development and test environments.
  • Administrative interfaces are restricted to authorized personnel.
  • Infrastructure events are monitored for availability and security signals.

Secure software development

Security is incorporated into product design, implementation, testing, release, and operational review.

Developers use reviewed pull requests, automated checks, dependency scanning, and documented release workflows to reduce preventable defects.

  • New features are reviewed for authentication, authorization, data handling, and logging impact.
  • Dependency updates are evaluated for security and compatibility.
  • Security findings are prioritized based on severity, exploitability, and customer impact.

Vulnerability management

Meridian uses automated dependency and infrastructure scanning, manual review, and periodic third-party testing to identify and remediate vulnerabilities.

Findings are triaged, assigned ownership, tracked to resolution, and reviewed for customer impact.

  • Critical issues receive expedited review and remediation.
  • Customers may report suspected vulnerabilities to security@meridianspend.com.
  • Public vulnerability disclosure is coordinated to reduce customer risk.

Incident response

Meridian maintains incident response procedures for detecting, investigating, containing, remediating, and communicating security events.

Incident handling includes severity classification, defined roles, evidence preservation, customer impact assessment, and post-incident review.

  • Customer notification follows contractual and legal obligations.
  • Security events are reviewed for root cause and control improvements.
  • Status updates are provided through appropriate customer channels when incidents affect service availability.

Business continuity and resilience

Meridian uses backup, monitoring, recovery, and operational escalation practices designed to maintain service continuity.

Availability and incident history are published through the status page where applicable.

  • Backups support recovery objectives for core platform data.
  • Operational alerts route to responsible teams.
  • Continuity plans are reviewed as the platform and infrastructure evolve.

Vendor and subprocessors review

Meridian reviews vendors and subprocessors that may affect platform confidentiality, availability, or data protection obligations.

Review depth is based on the service provided, access level, data sensitivity, and business criticality.

  • Subprocessors are subject to contractual confidentiality and security obligations.
  • Customer-impacting subprocessor changes are handled according to customer agreements.
  • Vendor risk evidence is retained for internal assurance purposes.

Responsible disclosure

Security researchers and customers can report suspected vulnerabilities to security@meridianspend.com.

Reports should include affected URLs, steps to reproduce, impact, and any relevant proof of concept details.

  • Do not access, modify, or exfiltrate data that does not belong to you.
  • Do not disrupt service availability or perform destructive testing.
  • Meridian will acknowledge reports and coordinate next steps based on severity and validity.