Discretion, Engineered
The Meridian Portal holds your foundation's grant files, board minutes, and governing documents. What follows is a plain accounting of how that trust is protected — stated exactly, with nothing claimed that cannot be shown.
Certified Foundations, Honest Claims
The Meridian Portal is built exclusively on infrastructure providers that maintain SOC 2 Type II and ISO 27001 attestations. Meridian itself is a boutique firm, not a certified data center — and we will share our application-security summary with your board under NDA.
The application is hosted on Vercel; the database and document vault run on Supabase, which operates on Amazon Web Services. Those providers carry the physical security, network defense, and compliance regimes of institutional cloud infrastructure. Meridian carries the responsibility for how the application is built on top of them — and the section below is that account.
Eight safeguards, built into the portal itself
Isolation at the Database Layer
Row-level security separates every client organization inside the database itself — not merely in the application. Your records are invisible to every other client, enforced by the database engine on every query.
Encryption, In Transit and At Rest
Every connection to the portal is encrypted with TLS, and every record and document is encrypted at rest on the underlying storage.
Invitation-Only Access
There is no self-signup. Every account is created by Meridian at your direction, for a named person your foundation has authorized.
Multi-Factor Authentication
A second factor is available on every account, so a password alone is never the only thing standing between the world and your records.
Role-Based Permissions
Administrators and viewers see different things and can do different things. A board member reviewing a docket cannot alter the grant file behind it.
A Complete Audit Trail
Every action in the portal — every view, upload, edit, and approval — is recorded with who, what, and when. The history of your records is itself a record.
Time-Limited Document Access
Documents are served through signed URLs that expire. A link to a board packet is not a permanent doorway into your vault.
Daily Backups
The database is backed up daily, so your foundation's institutional record does not depend on any single copy, machine, or moment.
Your Records Are Always Yours
Everything in the portal — grant files, minutes, resolutions, policies, correspondence — belongs to your foundation, not to Meridian. We are its custodian, never its owner.
If an engagement ends, you receive a complete, organized export of your vault, grant records, and governance history. No lock-in, no ransom, no orphaned archive. The measure of a records system is how gracefully it can be left.
A Culture of Confidentiality
Technology enforces what culture must first decide. Meridian serves families and institutions whose giving is often deliberately quiet, and discretion is a house value before it is a system setting: client identities are never disclosed, never marketed, and never traded on. No client name appears anywhere — on this site or elsewhere — without written consent.
Every engagement is governed by a written services agreement with confidentiality terms, and the same standard binds every referral partner we coordinate with. The habit of discretion is the oldest security control there is; the portal simply gives it teeth.
Put this page in front of your directors
We will provide our application-security summary under NDA and walk your board or advisors through any of it, question by question.