Your data, protected at every level
Security is not a feature we added. It is how we built the platform.
Defence in Depth
Multiple layers of protection at every level of the stack. No single point of failure.
Least Privilege
Every user, service, and system has only the minimum access required. Nothing more.
Transparency
We publish our sub-processor list, our security practices, and our incident response process.
How we protect your data
Encryption in Transit
All data encrypted via TLS 1.2+ between your browser, our servers, and every third-party service.
Encryption at Rest
Sensitive fields encrypted using AES-256-GCM. Database backups encrypted. API keys stored with authenticated encryption.
Tenant Isolation
Every club's data is completely isolated. Every database query is scoped by tenant. No club can access another club's data.
No Data Selling or Sharing
We never sell your data, share it for advertising, or use it to benefit other clubs. Your data is yours.
No AI Training
Your data is never used to train AI models. AI features process data only to generate outputs for your specific requests.
PCI Compliance
Payment card data is handled entirely by Stripe (PCI DSS Level 1). Card numbers never touch our servers.
Built for reliability
- EU/UK customer data hosted on Hetzner (Germany/Finland), an ISO 27001 certified provider. US customer data hosted on US infrastructure.
- Backend services run on private internal networks, inaccessible from the public internet.
- Automated encrypted daily backups with point-in-time recovery. 30-day retention.
- Real-time error tracking, uptime monitoring, and automated alerts for anomalies.
Who can access what
- Role-based permissions configurable per staff member (owner, manager, staff). Members see only their own data.
- Passwords hashed with bcrypt. Single sign-on available via Google and Microsoft.
- Short-lived access tokens (15 minutes) with secure refresh. CSRF protection and HttpOnly cookies.
- Automated brute force detection with lockout. Alerts triggered after repeated failed login attempts.
If something goes wrong
- We monitor systems around the clock for security anomalies.
- Security incidents are classified, contained, and communicated within 72 hours per GDPR requirements.
- Affected customers are notified directly with details of the incident, impact assessment, and remediation steps.
- Monitor real-time service status at status.linksmeridian.com.
- To report a security vulnerability, contact [email protected].
Standards we meet
| Framework | Status |
|---|---|
| UK GDPR | Compliant |
| EU GDPR | Compliant |
| CCPA/CPRA | Compliant |
| PCI DSS (via Stripe) | Compliant |
| WCAG 2.1 AA | Compliant |
These represent our self-assessed compliance status. We do not currently hold third-party certifications such as SOC 2 or ISO 27001 for Links Meridian itself.
The commitments behind the platform
Security sits inside a wider set of promises we publish rather than reserve for a sales call.
Find us on G2, Capterra, and GetApp.
For more details, see our Data Processing Agreement and Sub-processor List.
Questions about our security practices? Contact [email protected]