Security at MeshQu

• Cryptographically verifiable decisions

  Every governed decision is hashed and signed (Ed25519). Receipts can be verified offline using a published public key — you do not need to trust MeshQu to verify a receipt. Where transparency anchoring is enabled for a deployment, receipts are additionally anchored to the public Sigstore Rekor log; anchoring failures are non-fatal and a receipt remains signed and verifiable even if the log is briefly unreachable.

• Tenant isolation in four layers

  Every request carries a tenant id; the API rejects mismatches at the boundary; Postgres row-level security (RLS) enforces isolation per query; a runtime invariant check fails the request if the database session falls back to a role that bypasses RLS.

• Append-only audit chain

  The audit log is database-immutable (trigger-enforced) with a per-tenant hash chain. Once written, a row cannot be altered without breaking the chain — a property that an external auditor can verify independently.

• AI-assisted authoring is opt-in and minimised

  AI-assisted authoring is opt-in per tenant. When enabled, OpenAI requests opt out of training and long-term retention via store:false. A short OpenAI abuse-monitoring window (currently 30 days, per their docs) may still apply unless the deployment is on an approved Zero Data Retention project. The OpenAI subprocessor and the live state of these controls are documented in our privacy notice.

We publish progress on our compliance and trust workstreams openly. Each row below is tracked in our SOC2 readiness harness and gated by specific controls — we do not claim a certification we don’t hold.

• SOC2 Type IIIn progress

  Trust & Compliance Controls workstream in progress. Phase 1 covers retention policy, data inventory, incident response, disaster recovery, secret rotation, and governance controls. Phase 2 covers RBAC, MFA/SSO, DSAR, erasure, deploy pipeline, image signing, and DR drills.

• GDPR / UK GDPRIn progress

  Privacy notice and subprocessor list are public. DSAR export and erasure endpoints are scheduled for Phase 2. Lawful basis is documented per data class.

• Evidentiary Integrity GuaranteesIn progress

  The moat. KMS-backed signing, BYOK column-level encryption, offline verifier CLI, vendor-exit data export. These are the controls a regulator-grade buyer asks for that go beyond SOC2.

• ISO 27001Planned

  Targeted once SOC2 Type II opinion is held.

The third parties that process data on behalf of MeshQu when you use the platform are listed in our privacy notice. Each entry includes purpose, processing region, and a link to the relevant Data Processing Addendum.

We will give at least 30 days’ notice before adding a new subprocessor that materially changes the data flow.

Every receipt MeshQu issues is signed with Ed25519 and anchored to the public Sigstore Rekor transparency log. You can verify a receipt without making any API call to MeshQu:

• The signed envelope contains a key id (kid) referring to one of our published Ed25519 public keys.
• The receipt’s integrity hash binds the policy snapshot and evidence manifest digests, so policy logic cannot be retroactively rewritten.
• Inclusion in Rekor is provable via a Merkle inclusion proof against the public log — independent of MeshQu’s availability.

An offline verifier CLI is on the public roadmap so that customers can verify proofs even after a vendor exit. Talk to us if you need an early version for a procurement review.

Email security@meshqu.com with details. Our full disclosure policy — scope, response SLAs, safe harbour clause — is in SECURITY.md.

We acknowledge reports within 2 business days and aim to resolve confirmed issues within 90 days of acknowledgement.

For procurement, security questionnaires, or DPA requests, email security@meshqu.com.