§ Trust · Security · Privacy

Security at Meridia.

Your catalogue, orders, and channel credentials are operational data that keeps your business running. We treat them that way — encrypted in transit and at rest, fenced behind row-level authorisation, and exportable in one click whenever you ask.

Compliance postureInfrastructureSub-processorsIncident responseBug bountyYour data, your rights
01 / Compliance

Where we stand, honestly.

We publish the real state of each framework — not the aspirational one. If something says in progress, the observation window is live but the attestation is not yet in hand. Ask security@fulcra.com for the latest evidence package.

SOC 2 Type II
In progress
Observation window open. Report target Q3 2026. Gap analysis complete; controls implemented.
GDPR
Live
Data Processing Agreement available on request. DSAR fulfilment in-app. EU data residency on Supabase eu-west-1.
UK GDPR / DPA 2018
Live
Operated by NPX Solutions (UK). ICO registration in process.
ISO 27001
Planned
Scoped for 2026 following SOC 2 report issuance.
HIPAA
N / A
Meridia is not a covered entity. Do not upload PHI.
PCI DSS
N / A
We never touch card data. All payments are tokenised and handled by Stripe (PCI DSS Level 1).
02 / Infrastructure

Where your data lives.

Meridia runs on managed primitives from operators we trust — chosen so your data stays in the EU by default and never sits on a server we operate by hand.

Vercel Functions
US · EU regions

Application runtime. Edge and Node.js serverless. Traffic terminated at nearest region.

Supabase Postgres
eu-west-1 (Ireland)

Primary datastore and auth. Point-in-time recovery enabled (7 days).

Sentry
United States

Error telemetry. PII scrubbed at the SDK before transmission.

PostHog EU
Frankfurt, DE

Product analytics. EU-resident; no data leaves the EEA.

Upstash Redis
EU regions

Rate limiting, job queues. Contains no customer content.

Apify
United States

Isolated scraping workers for competitive-intelligence jobs. Receives job inputs only.

03 / Data handling

Encryption, backups, residency.

Encryption in transit
TLS 1.3 enforced end-to-end. HSTS preloaded on fulcra.com. Channel OAuth flows use PKCE where the marketplace supports it.
Encryption at rest
AES-256 on Supabase managed Postgres volumes and on Vercel build artefacts. OAuth refresh tokens are additionally wrapped with a key scoped per environment.
Backups & recovery
Supabase point-in-time recovery retains 7 days of WAL. We test restore into a staging project on a documented cadence.
Data residency
Primary store in Supabase eu-west-1 (Ireland). Product analytics in PostHog Frankfurt. Error telemetry in Sentry US with PII scrubbed before send.
04 / Access control

Row-level by default.

Every public table in Meridia has Row Level Security enabled, and every policy is scoped by user_id = auth.uid(). Our service role exists only inside server functions — it is never exposed to the browser, never committed to the repo, and rotated on role change.

  • Least-privilege engineering access, brokered through Supabase roles and reviewed quarterly.
  • No production shell access without a change ticket, a second pair of eyes, and an audit-log entry.
  • Admin routes gated by an allow-list in ADMIN_EMAILS; rotated on offboarding.
  • Supabase Advisor is monitored — we treat any new advisor finding as a P1.
05 / Sub-processors

Every vendor. Every purpose.

We sub-contract narrowly, with DPAs in place. Material changes are announced on this page and — for enterprise plans — emailed 30 days before any new sub-processor goes live.

ProcessorPurposeDPA
Vercel Inc.
Application hosting, logs
Supabase Inc.
Database, authentication, storage
Stripe, Inc.
Billing, payment tokens
Resend, Inc.
Transactional email delivery
Functional Software (Sentry)
Application error telemetry
PostHog Ltd (EU)
Product analytics
Upstash, Inc.
Rate-limit counters, background queues
Apify Technologies
Competitive-intel scraping jobs
Anthropic PBC
AI content generation (opt-in)
06 / Incident response

What happens if something goes wrong.

24 hours · Discovery
On confirmed incident, a response lead is appointed and a triage channel opened. Customer impact is scoped before anything is said publicly.
72 hours · Notification
If personal data is affected, we notify the ICO within 72 hours (UK GDPR Art. 33) and the affected customers without undue delay.
Status page
Live incidents are posted at status.fulcra.com. Post-mortems are published after resolution for material incidents.
07 / Responsible disclosure

Report a vulnerability.

We welcome reports from the security community. Email security@fulcra.com — PGP available on request. We respond within two business days and provide a fix timeline within ten.

In scope
fulcra.com, *.fulcra.com, the Meridia web app, our public API, and our marketing site.
Out of scope
Denial-of-service, volumetric testing, social engineering, physical attacks, third-party infrastructure (Vercel, Supabase, Stripe), and findings that require a rooted device.
Safe harbour
Act in good faith and we will not pursue legal action. Give us reasonable time to remediate before publishing.
08 / Your data

Your data is yours.

GDPR gives you the right to access, correct, export, and erase the personal data we hold about you. Meridia fulfils these rights in-app — no emails, no forms, no waiting.

Art. 15 · 20 · 30-day SLA · usually seconds
Export everything

Download a signed JSON archive of every row in every table we associate with your account — profile, channels, listings, transactions, audit trail.

Art. 17 · processed within 30 days
Delete your account

Request erasure from inside the app. We queue the request, confirm by email, and purge within the GDPR window (billing records retained as required by law).

Available on request
DPA & documents

Standard SCC-backed Data Processing Agreement, sub-processor list, and data-retention schedule. We will sign mutual NDAs for enterprise evaluation.