Information Security Policy
1. Purpose
Section titled “1. Purpose”Defines the framework for protecting the confidentiality, integrity, and availability of all information assets owned, controlled, or processed by Meridian Seven. Establishes security objectives, organizational responsibilities, and acceptable use standards governing employees, contractors, and third parties.
2. Scope
Section titled “2. Scope”- All employees, contractors, temporary staff, and third-party service providers
- All systems, applications, and infrastructure that store, process, or transmit customer data
- All devices used to access Meridian Seven systems (Meridian Seven operates a BYOD model; see BYOD Endpoint Security Policy)
- All environments: production, staging, development, and disaster recovery
Systems In Scope:
- Web Application: Next.js frontend and BFF API routes (GCP Cloud Run)
- Agent Services: Python FastAPI agent service (GCP Cloud Run)
- Database: PostgreSQL (Supabase)
- Identity & Access: Google Workspace Enterprise Standard (IdP, MFA, MDM, DLP), Supabase Auth (application auth, OAuth, email/password), 1Password Business (credential management), Doppler (secrets)
- Source Control: GitHub
- Communication: Google Workspace, Slack
- Monitoring: GCP Cloud Monitoring (uptime checks, alerting, notification channels), CrowdStrike (EDR)
3. Security Objectives
Section titled “3. Security Objectives”- Confidentiality — Information accessible only to authorized individuals and systems
- Integrity — Accuracy and completeness of information and processing methods safeguarded
- Availability — Authorized users have reliable, timely access to information and assets
- Compliance — All applicable legal, regulatory, and contractual requirements met, including SOC 2 Type II
- Continuous Improvement — Controls regularly assessed and improved based on evolving threats
4. Roles and Responsibilities
Section titled “4. Roles and Responsibilities”| Role | Responsibilities |
|---|---|
| CTO | Executive sponsor; approves security budgets, staffing, and strategic initiatives; approves all policies annually |
| CISO | Owns and maintains all policies and procedures; conducts risk assessments; manages incident response; reports security metrics to CTO; coordinates SOC 2 audit |
| Data Owners | Classify data per Data Classification Policy; approve access requests; report data-related incidents |
| Engineering Team | Implement security controls; follow Change Management Policy; report vulnerabilities; complete security training; maintain secure development practices |
| All Personnel | Comply with all policies; protect credentials; report incidents and suspicious activity |
5. Acceptable Use
Section titled “5. Acceptable Use”- Company systems and data used for authorized business purposes only
- Users must not bypass or disable security controls
- Users must not share credentials, tokens, or authentication secrets
- Users must lock workstations when unattended
- Users must not store company data on unauthorized personal devices or cloud services
- Company email and Slack must not transmit Restricted or Confidential data without encryption; no automated forwarding to external addresses
- Remote access to production requires a device meeting BYOD Endpoint Security Policy requirements (CrowdStrike, disk encryption, screen lock, MFA); WPA2/WPA3 home network required
- Only approved software on company devices; no disabling CrowdStrike; no personal software or file storage
6. Enforcement and Disciplinary Actions
Section titled “6. Enforcement and Disciplinary Actions”Compliance monitored through access reviews, endpoint management, and audit logging. Automated alerts configured for violations where technically feasible.
| Severity | Action |
|---|---|
| First offense (minor) | Verbal warning and mandatory re-training |
| Second offense (minor) / First offense (moderate) | Written warning in personnel file |
| Repeated / serious offenses | Suspension of access and formal disciplinary review |
| Willful or gross violations | Termination; legal action where applicable |
Severity classification is at the CISO’s discretion in consultation with legal counsel. All personnel may report violations to the CISO or CTO without fear of retaliation.
7. Security Awareness Training
Section titled “7. Security Awareness Training”All personnel must complete security awareness training within 30 days of hire and annually thereafter. Training covers: phishing and social engineering, password hygiene, data classification and handling, incident reporting, acceptable use, and device security.
Training completions are tracked in automation/config/training-log.yaml and reviewed during quarterly risk reviews. The CISO is responsible for maintaining training content and ensuring completion.
8. Policy Review
Section titled “8. Policy Review”Annual review or upon significant changes to business, technology, or threat environment. CISO initiates; CTO approves all substantive changes.
9. Data Security and Privacy Posture
Section titled “9. Data Security and Privacy Posture”Meridian Seven maintains the following data security commitments for all customer data:
| Control | Implementation |
|---|---|
| Encryption at rest | All customer data encrypted with AES-256. Sensitive credentials encrypted with AES-256-GCM via Doppler. |
| Encryption in transit | TLS 1.2+ enforced on all communication channels. Cloudflare SSL strict mode for public endpoints. |
| Network isolation | Internal services communicate over isolated private networks (GCP VPC networking) with no direct public internet exposure. All external access routed through Cloudflare Tunnels. |
| Tenant isolation | PostgreSQL Row-Level Security enforces tenant data isolation at the database engine level. Isolation is not dependent on application logic. No client-initiated query path can access another organization’s records. |
| Third-party data sharing | No customer data shared with third parties without explicit written consent. Vendors processing data require a Data Processing Agreement (DPA). |
| Credential management | All secrets managed through Doppler. No credentials in source code, environment files, or application configuration. |
| Access control | Internal access restricted to authorized personnel on a need-to-know basis per the Access Control Policy. |
| Incident notification | Security incident notification to affected customers within 72 hours of confirmed breach. |
| Data deletion | Customer data deleted within 30 days of written request, including database records, graph entities, embeddings, and backup copies within the retention window. |
10. Related Policies
Section titled “10. Related Policies”- Governance and Organization Policy
- Risk Management Policy
- Access Control Policy
- Incident Response Plan
- Change Management Policy
- Data Classification Policy
- Acceptable Use Policy
- BYOD Endpoint Security Policy
- Vendor Management Policy
- Backup and Recovery Policy
11. Acknowledgment
Section titled “11. Acknowledgment”All personnel must acknowledge this policy within 30 days of hire and annually thereafter. Acknowledgment records maintained by the CISO and available for audit.
Meridian Seven — Confidential