Trust & security
PHI-free by design.
Meridyon schedules clinicians, not patients. No patient records or clinical data — and no BAA required.
A lighter review.
The system holds provider names, work emails, shift assignments, and workforce targets. Your security review covers a workforce-scheduling tool, not a clinical data system.
Authentication
Session sign-in with securely hashed passwords and HttpOnly cookies. Passkeys (WebAuthn). Enterprise SSO via OIDC (Okta, Azure AD, Google Workspace) with full ID-token verification — signature, issuer, audience, expiry, and nonce.
Account protection
CSRF protection on state-changing requests, login rate limiting, lockout after 5 failed attempts, 12-character minimum passwords.
Security headers
Content Security Policy, HSTS, X-Frame-Options, and related hardening headers across the application.
Audit logging
Administrative and scheduling changes logged with before/after values, retained for 2 years by default (configurable), exportable as CSV or JSON.
Backups & recovery
Daily backups with off-site copies. Restore drills have been performed — backups are tested, not just taken.
Billing
Payments run through Stripe — card data never touches Meridyon’s servers. Read access is never gated: you are never locked out of your own data.
What we don’t claim yet
- No SOC 2, ISO 27001, or HITRUST certification yet. If your organization requires one, ask us where we are on the path.
- Uptime targets are targets, not contractual SLAs. We publish a status page and operate with recovery objectives, but no contractual uptime guarantee yet.
What we will claim: no patient records or clinical data, verified-ID-token SSO, audit trails with real before/after values, backups we’ve actually restored from, and a public status page.
For IT reviewers
A readiness summary is at schedule.meridyon.com/support/it-professionals, and the live status page at schedule.meridyon.com/status. Questions? support@meridyon.com.