Security

Defensive depth,
by design.

How Axis Meridi Technologies protects identity, tenant data, and credentials across the platform — named, not hedged.

Tenant isolation.

Every multi-tenant table is scoped by tenant_org_id at the query level — not just at the application layer. A bug in app code cannot leak data across tenants because the database itself does not return rows from other tenants for any query. Defensive depth, not a single guard.

Cross-product API security.

When MyMeridi provisions an account in AxisCommand, or AxisVantage hands a lead to AxisCommand, the cross-product call is HMAC-signed end-to-end with a per-product shared secret. A timestamp window narrows replay attempts. The internal network is not trusted; every internal call is signed.

Identity and sessions.

MyMeridi is the auth root for the platform. Three sign-in modes:

  • Passkeys — preferred. Phishing-resistant, no password to leak, hardware-backed where the operating system supports it.
  • Password + device-trust MFA — one-time codes tied to the device fingerprint, not just the user.
  • Six-digit code on a previously-trusted device — the friction floor for return visits.

Session tokens are short-lived; refresh requires re-attestation. Passwords are never stored — only Argon2id hashes with per-record salts.

Secrets at rest.

OAuth tokens for third-party integrations (Stripe, Google, Microsoft, others) are encrypted at rest with AES-256-GCM. Encryption keys are rotated quarterly and stored separately from the data they protect. SMTP credentials live in a file one level above public_html — never web-served, never in the deploy archive, never committed to git.

Transport.

HTTPS-only across every product. HSTS is set with includeSubDomains and a 1-year max-age. TLS 1.2 or higher; lower versions are refused. Plain HTTP requests are 301-redirected at the edge. Hard-coded security headers: X-Content-Type-Options nosniff, X-Frame-Options DENY, Referrer-Policy strict-origin-when-cross-origin, and a Permissions-Policy that disables geolocation, microphone, and camera by default.

Subprocessors.

Three named services touch tenant data:

  • Hostinger — web hosting and SMTP send.
  • Stripe — subscription billing and payment processing.
  • Anthropic — Claude API powers lead intelligence inside AxisVantage. Tenant text is sent only as needed; Anthropic does not retain or train on this data per their commercial agreement.

The full data-flow per service is on the privacy page. Material changes are communicated to existing customers and reflected on this page.

Coordinated disclosure.

Found a vulnerability? Email security@axismeridi.com with details and steps to reproduce. We respond within two business days, work in good faith, and credit researchers when the fix lands. We do not pursue researchers acting in good faith. A formal bug-bounty program is not yet stood up — rewards are case-by-case until then.

What we do not yet claim.

An honest list of attestations we have not earned and programs we have not yet stood up:

  • SOC 2 Type II — not yet audited. On the post-GA roadmap.
  • ISO 27001 — not yet certified.
  • HIPAA — PHI workloads are not in scope. The platform is not designed for protected health information today.
  • Formal bug-bounty program — not yet stood up.
  • Third-party penetration test reports — internal red-teaming only at this stage.

As the platform matures, this list shrinks. We update it here when something moves.

Architecture, in public.

The cross-product flows described above are mapped in the architecture page. Operational health is on the status page, refreshed every 15 seconds. We do not run a hidden version of any of this.

Effective date.

Last updated May 10, 2026.