IT & Security Reference for Meridyon

Meridyon is PHI-free by design. It stores no patient records or clinical data — it schedules clinicians, not patients. Because no PHI is stored, a HIPAA Business Associate Agreement is generally not required; we recommend IT confirm with their own counsel. Your security review covers a workforce-scheduling tool, not a clinical data system.

• Hosted on dedicated US-based virtual servers, with production in a US East region data center.
• Fronted by Cloudflare at the US edge for CDN, DNS, and TLS.
• HTTPS/TLS terminates at the Cloudflare edge; traffic continues to the origin over the provider network.

• Session-based sign-in with bcrypt-hashed passwords and HttpOnly cookies
• Passkeys (WebAuthn) for strong, phishing-resistant authentication
• Enterprise SSO via OIDC (Okta, Azure AD, Google Workspace) with full ID-token verification — signature, issuer, audience, expiry, and nonce, plus email_verified enforced
• 12-character minimum password policy
• Account lockout and login rate limiting on repeated failed attempts
• Role-based access: Admin, Provider, and Team Assigner

• CSRF protection on all state-changing requests
• Security headers across the app: Content Security Policy, HSTS, X-Frame-Options, X-Content-Type-Options
• Audit logging with before/after values, retained 2 years by default (configurable), exportable as CSV or JSON
• Tenant isolation — each organization’s data is scoped server-side and is not accessible across organizations

• Automated daily database backups.
• An off-site copy is replicated to a separate facility.
• Restore drills are performed — a restore was verified in June 2026 (backups are tested, not just taken).
• Initial recovery targets: RPO ~24 hours, RTO ~1 hour (stated as targets, not guarantees).

Third-party vendors Meridyon relies on to operate the service.

• No SOC 2, ISO 27001, or HITRUST certification yet. If your organization requires one, ask us where we are on the path.
• Uptime and availability figures are internal targets, not contractual SLAs. We publish a status page and operate with recovery objectives, but offer no contractual uptime guarantee yet.

We state this plainly because it’s deliberate. What we do stand behind: no patient records or clinical data, verified-ID-token SSO, audit trails with real before/after values, backups we’ve actually restored from, and a public status page.

Meridyon supports current stable browser versions and does not support Internet Explorer or legacy embedded webviews.

Meridyon sends transactional scheduling mail from sender addresses on the meridyon.com domain. Allow these domains for notifications, request replies, invitations, and password reset messages.

No lock-in. Customers can export their data at any time:

• Schedules as CSV.
• Per-provider calendar feeds (iCal).
• Audit logs as CSV or JSON.