Skip to content
MERIDIANPHILANTHROPIC
Security & Trust

Discretion, Engineered

The Meridian Portal holds your foundation's grant files, board minutes, and governing documents. What follows is a plain accounting of how that trust is protected — stated exactly, with nothing claimed that cannot be shown.

Infrastructure

Certified Foundations, Honest Claims

The Meridian Portal is built exclusively on infrastructure providers that maintain SOC 2 Type II and ISO 27001 attestations. Meridian itself is a boutique firm, not a certified data center — and we will share our application-security summary with your board under NDA.

The application is hosted on Vercel; the database and document vault run on Supabase, which operates on Amazon Web Services. Those providers carry the physical security, network defense, and compliance regimes of institutional cloud infrastructure. Meridian carries the responsibility for how the application is built on top of them — and the section below is that account.

Application Security

Eight safeguards, built into the portal itself

Isolation at the Database Layer

Row-level security separates every client organization inside the database itself — not merely in the application. Your records are invisible to every other client, enforced by the database engine on every query.

Encryption, In Transit and At Rest

Every connection to the portal is encrypted with TLS, and every record and document is encrypted at rest on the underlying storage.

Invitation-Only Access

There is no self-signup. Every account is created by Meridian at your direction, for a named person your foundation has authorized.

Multi-Factor Authentication

A second factor is available on every account, so a password alone is never the only thing standing between the world and your records.

Role-Based Permissions

Administrators and viewers see different things and can do different things. A board member reviewing a docket cannot alter the grant file behind it.

A Complete Audit Trail

Every action in the portal — every view, upload, edit, and approval — is recorded with who, what, and when. The history of your records is itself a record.

Time-Limited Document Access

Documents are served through signed URLs that expire. A link to a board packet is not a permanent doorway into your vault.

Daily Backups

The database is backed up daily, so your foundation's institutional record does not depend on any single copy, machine, or moment.

Data Ownership

Your Records Are Always Yours

Everything in the portal — grant files, minutes, resolutions, policies, correspondence — belongs to your foundation, not to Meridian. We are its custodian, never its owner.

If an engagement ends, you receive a complete, organized export of your vault, grant records, and governance history. No lock-in, no ransom, no orphaned archive. The measure of a records system is how gracefully it can be left.

Beyond the Software

A Culture of Confidentiality

Technology enforces what culture must first decide. Meridian serves families and institutions whose giving is often deliberately quiet, and discretion is a house value before it is a system setting: client identities are never disclosed, never marketed, and never traded on. No client name appears anywhere — on this site or elsewhere — without written consent.

Every engagement is governed by a written services agreement with confidentiality terms, and the same standard binds every referral partner we coordinate with. The habit of discretion is the oldest security control there is; the portal simply gives it teeth.

For Your Board

Put this page in front of your directors

We will provide our application-security summary under NDA and walk your board or advisors through any of it, question by question.