Skip to content
Security

Your data, protected at every level

Security is not a feature we added. It is how we built the platform.

Defence in Depth

Multiple layers of protection at every level of the stack. No single point of failure.

Least Privilege

Every user, service, and system has only the minimum access required. Nothing more.

Transparency

We publish our sub-processor list, our security practices, and our incident response process.

Data protection

How we protect your data

Encryption in Transit

All data encrypted via TLS 1.2+ between your browser, our servers, and every third-party service.

Encryption at Rest

Sensitive fields encrypted using AES-256-GCM. Database backups encrypted. API keys stored with authenticated encryption.

Tenant Isolation

Every club's data is completely isolated. Every database query is scoped by tenant. No club can access another club's data.

No Data Selling or Sharing

We never sell your data, share it for advertising, or use it to benefit other clubs. Your data is yours.

No AI Training

Your data is never used to train AI models. AI features process data only to generate outputs for your specific requests.

PCI Compliance

Payment card data is handled entirely by Stripe (PCI DSS Level 1). Card numbers never touch our servers.

Infrastructure

Built for reliability

  • EU/UK customer data hosted on Hetzner (Germany/Finland), an ISO 27001 certified provider. US customer data hosted on US infrastructure.
  • Backend services run on private internal networks, inaccessible from the public internet.
  • Automated encrypted daily backups with point-in-time recovery. 30-day retention.
  • Real-time error tracking, uptime monitoring, and automated alerts for anomalies.
Access control

Who can access what

  • Role-based permissions configurable per staff member (owner, manager, staff). Members see only their own data.
  • Passwords hashed with bcrypt. Single sign-on available via Google and Microsoft.
  • Short-lived access tokens (15 minutes) with secure refresh. CSRF protection and HttpOnly cookies.
  • Automated brute force detection with lockout. Alerts triggered after repeated failed login attempts.
Incident response

If something goes wrong

  • We monitor systems around the clock for security anomalies.
  • Security incidents are classified, contained, and communicated within 72 hours per GDPR requirements.
  • Affected customers are notified directly with details of the incident, impact assessment, and remediation steps.
  • Monitor real-time service status at status.linksmeridian.com.
  • To report a security vulnerability, contact [email protected].
Compliance

Standards we meet

FrameworkStatus
UK GDPRCompliant
EU GDPRCompliant
CCPA/CPRACompliant
PCI DSS (via Stripe)Compliant
WCAG 2.1 AACompliant

These represent our self-assessed compliance status. We do not currently hold third-party certifications such as SOC 2 or ISO 27001 for Links Meridian itself.

For more details, see our Data Processing Agreement and Sub-processor List.

Questions about our security practices? Contact [email protected]