How we protect your data
Meridian is built for Canadian immigration consulting firms · a sector where client trust, professional ethics, and regulatory compliance set a high bar. Security is treated as a product feature, not an afterthought.
Infrastructure
- Cloudflare Workers: code runs on Cloudflare's global edge network. No long-running servers, no admin SSH, no public IPs to attack.
- Cloudflare D1 (SQLite at the edge) · primary database, with point-in-time backups.
- Cloudflare R2: encrypted at rest with AES-256, no egress fees to third-party clouds.
- Cloudflare KV: read-heavy cache layer, never used as a source of truth for sensitive data.
Authentication and sessions
- PBKDF2-SHA256 with 100,000 iterations and a unique 128-bit salt per user for password storage. Plaintext passwords are never stored.
- Account lockout after configurable failed-login attempts.
- OTP-based first-login + password reset via 6-digit codes sent to your work email, 10-minute expiry, single-use.
- JWT sessions signed with a per-environment HMAC-SHA256 secret. Rotated when security warrants.
- Per-firm session isolation: JWT claims encode the tenant ID; cross-tenant requests are rejected at the worker boundary.
Data at rest
- Sensitive personal fields (client names, dates of birth, passport numbers, etc.) are encrypted at the column level using AES-GCM with a per-tenant data encryption key.
- Data encryption keys are wrapped by a per-environment master key held in Cloudflare Workers Secrets.
- R2 documents inherit Cloudflare's at-rest encryption plus the custom metadata header binding each object to its tenant.
Data in transit
- TLS 1.3 enforced on all
*.meridianlegal.caendpoints. - HSTS with 1-year max-age and includeSubDomains.
- Service-to-service calls between workers use Cloudflare Service Bindings (no public network round-trip).
Admin access
Nova System staff cannot read your firm's client data on demand. When a support issue requires admin access (e.g., debugging a stuck migration), the workflow is:
- The admin posts an access request explaining the scope.
- An automated email is sent to the firm owner with a one-time approval code and a magic link.
- The owner explicitly grants access for a time-boxed window (default 30 minutes).
- Every action the admin takes during that window is logged to a live action stream the owner can revoke at any time.
Responsible disclosure
If you find a security issue, we'd like to hear about it before it becomes a problem.
- Email security@thenovasystem.com.
- We aim to acknowledge within 4 hours and resolve critical issues within 5 business days.
- We do not (yet) run a paid bug-bounty program but will publicly credit responsible disclosers in our changelog.
Subprocessors
| Vendor | Purpose | Location |
|---|---|---|
| Cloudflare Inc. | Hosting, storage, CDN | Global edge (Canada + US + EU + APAC) |
| OneSignal Inc. | Push notifications | US |
| Anthropic PBC | AI inference (Sonnet) | US |
| Resend.com | Transactional email | US |
| Twilio Inc. | SMS (optional) | US |
| Stripe Inc. | Billing | US / Canada |
Compliance commitments
- Canadian privacy law: PIPEDA + BC PIPA.
- The Meridian platform supports CICC ethics requirements around client confidentiality.
- We do not store or process credit-card numbers · Stripe handles all PCI-DSS scope.