Security and privacy, built in.

Meshi protects professional identity and relationship data with scoped access, encryption, traceable AI, and controlled integrations.

Current posture Review snapshot
July 2026
Implemented controls Operating
Provider register Public
Security review support Available on request
SOC 2 audit In preparation
Penetration test Planned
View controls

Security

Controls that follow the data.

Identity & access

  • Organization-scoped credentials with explicit read and write permissions
  • Revocable keys stored only as cryptographic hashes
  • Cross-organization authorization regression tests
Server enforcement • Authorization tests

Tenant & partner boundaries

  • Partner reads and writes resolve to the authenticated organization
  • Partner identifiers map within an organization-specific namespace
  • Covered cross-organization routes reject access with no customer response data
Organization scoping • Ownership • IDOR tests

Encryption & secrets

  • TLS and provider encryption for primary storage
  • Application-layer encryption for OAuth credentials
  • Short-lived signed URLs for private object access
  • Runtime secrets kept outside source control
TLS • Storage • Credentials • Objects

Product security

  • Server-side authentication, authorization, and input validation
  • Parameterized database access and validated resource identifiers
  • Configured trusted origins for credentialed browser requests
  • Positive and negative tests before release
Service controls • Database safeguards • Release checks

AI & agent safeguards

  • Task-specific provider inputs with no direct database access
  • Source evidence kept separate from inference
  • Source authority attached to derived intelligence
  • Agent tools share product permission boundaries
Input scoping • Provenance • Permissioned actions

Change management

  • Separate staging and production environments
  • Automated format, lint, type, test, and build checks
  • Health, migration, workflow, and fatal-log release checks
  • Incident findings become checks, safeguards, or runbooks
Separate environments • Automated gates • Approval

Scoped from input to output.

Providers receive task-specific inputs, never direct database access.

  1. 01Permitted inputsProfessional data supplied by clients, users, connected services, and public sources
  2. 02Governed processingMeshi services and managed infrastructure
  3. 03Authorized outputsProduct and partner results with sources

Privacy & responsible AI

Professional intelligence with source context.

Read the public draft
01

Source-aware collection

Source namespaces and provenance metadata keep client-provided, connected, public, and derived inputs distinguishable.

02

Provenance-aware intelligence

Evidence stays separate from inference, with source context attached to derived intelligence.

03

Focused on professional context

Matching uses professional and networking attributes, not special-category attributes. Avoid unnecessary sensitive data in free-form inputs.

04

Retention and deletion

Users can initiate account deletion in product. Database hard-delete and audited organization-scoped purge paths exist; object-storage and derived-data deletion coverage remains in progress.

Subprocessors

Providers and their roles.

Usage labels show when a provider can enter a product or operational data path.

22 providers Reviewed July 2026

Infrastructure

5

Fly.io

API hosting and application compute

Core service

Neon

Managed Postgres database

Core service

Vercel

Frontend hosting and web delivery

Core service

Tigris

Private object storage

Core service

Inngest

Durable workflow orchestration

Core service

Product services

10

PostHog

Product analytics and browser error reporting

Core service

Resend

Transactional email

Core service

Twilio

SMS, WhatsApp, and voice

Capability dependent

Composio

Connected Gmail and Calendar actions

User opt-in

Sentry

Server error reporting when configured

Capability dependent

Slack

Signup and operational notifications, including signup contact metadata

Capability dependent

Telegram

Messaging-channel delivery and media handling

User opt-in

ElevenLabs

Optional onboarding and coach voice conversations

User opt-in

Cloudflare

Turnstile bot protection for public docs chat

Capability dependent

Logo.dev

Trust Center logo delivery and request metering

Capability dependent

AI & enrichment

7

Google

AI inference and live voice

Capability dependent

MiniMax

Model inference

Capability dependent

DeepInfra

Model inference and embeddings

Capability dependent

Anthropic

Inference and capture workflows

Capability dependent

Cerebras

Inference workflows

Capability dependent

RapidAPI

Public professional-data search

Capability dependent

Apify

Public-profile enrichment

Capability dependent

Enabled providers and processing locations vary by capability and deployment.

Logos provided by Logo.dev

FAQ

Common diligence questions.

What is Meshi's SOC 2 status?

Meshi has not completed an external SOC 2 audit. Audit preparation, control ownership, policies, evidence packages, and identified technical work remain in progress.

How does Meshi isolate customer data?

Access is organization-scoped. Partner credentials carry explicit read and write permissions for one organization; deployment-specific requirements are agreed during onboarding.

Is data encrypted?

Meshi uses TLS, provider encryption at rest for primary storage, application-layer encryption for OAuth credentials, and short-lived signed URLs for private objects.

How does Meshi use AI?

Providers receive task-specific inputs, never database access. Evidence stays separate from inference, and enabled provider paths are reviewed for each enterprise deployment.

Does Meshi infer sensitive personal attributes?

Matching covers professional and networking attributes, not special-category attributes. Clients should avoid unnecessary sensitive data in free-form inputs.

How are retention and deletion handled?

Users can initiate account deletion in product. Database deletion paths exist; object-storage and derived-data deletion coverage remains in progress. Enterprise retention requirements are defined during review.

What is Meshi's penetration testing status?

An independent penetration test is planned. Current safeguards include code review, automated checks, authorization tests, and controlled releases.

What security review materials are available?

Contact Meshi to scope an architecture, data-flow, provider, DPA, or questionnaire review for your proposed deployment.

Where is Meshi data hosted and processed?

The register names Meshi's current provider paths. Which providers and processing locations apply to a customer depends on the enabled capabilities and deployment.

Start a security review.

Request a scoped architecture, provider, DPA, or questionnaire review.

Contact Meshi