Security & Compliance

Security posture, stated plainly

Meibel holds no formal third-party audit certifications as of 2025 — no SOC 2 Type II attestation, no ISO 27001 registration, no FedRAMP authorization. We are a bootstrapped company and those programs take time and capital to complete. What we have done is design every control with the SOC 2 Type II controls catalog and the ISO 27001 control framework as explicit design references, and document exactly what that means in the sections below. Your auditor can evaluate the substance; we are not asking you to trust a badge.

Request Access Security inquiries

Framework posture

SOC 2 controls Designed with

HIPAA safeguards Designed with

GDPR data minimization Designed with

EU AI Act transparency Readiness

ISO 27001 control framework Designed with

NIST AI RMF (AI 100-1) Readiness

NIST 800-53 access controls Selected controls

Control framework

Technical and organizational controls implemented to protect customer data and platform integrity.

Encryption in transit and at rest

All data in transit uses TLS 1.3. Audit log records at rest are encrypted with AES-256. Encryption keys are managed separately from data stores per SOC 2 key management controls.

Least-privilege access

Internal staff access follows least-privilege principles. No standing production access. Access requests logged with justification. Quarterly access reviews per ISO 27001 A.9 framework.

Tenant data segregation

Audit records are partitioned by tenant ID at the database level. No cross-tenant queries are possible by design. Customer data is never processed alongside another customer's context.

Security monitoring

Infrastructure log aggregation with anomaly detection. Access logs reviewed for unusual patterns. Incident response procedures documented and tested quarterly.

Data handling

What we store, how long we store it, and what you can delete.

Audit log recordsStored per your tier: 30 days (Developer), 1 year (Team), custom (Enterprise). Records contain entity type labels and hashes — not raw PII values from redacted fields.

We do not store raw prompt content by defaultMeibel stores SHA-256 hashes of pre- and post-redaction prompts, plus entity type labels (not raw values) from redacted fields. The full pre-redaction prompt text is processed inline and discarded — it does not transit to Meibel infrastructure. Optional full-text archiving is available as an explicit opt-in feature for organizations that require it for their own compliance record-keeping.

Data residencyDefault: US-East (AWS). Enterprise customers may request EU or US-West residency with dedicated tenant isolation. On-prem deployment available on Enterprise plan.

DeletionAccount deletion triggers a 30-day purge window for all audit records and configuration. Certificate of deletion available on request. Team and Enterprise customers can trigger immediate deletion via API.

Penetration testing disclosure

Meibel commissions third-party penetration testing on an annual basis. Results are summarized in our security overview document available under NDA to prospective enterprise customers. Contact [email protected] to request the security overview.

Security questions? Ask Kevin directly.

We're a small team. Security inquiries go directly to the founder. Request access or send a security question.

Request Access Contact security team