MeshX

Security overview

Last updated: 3 April 2026

This page summarises how MeshX Software Ltd (“MeshX”) approaches security and data protection for the MeshX web application and APIs. It is intended for customers, partners, and marketplace reviewers. For personal data handling, see the Privacy policy; for vendors, see Subprocessors.

Organisation and governance

  • MeshX acts as data controller for end-user data described in our Privacy policy.
  • Security and privacy enquiries: security@meshx.uk.
  • We use written agreements (including DPAs where applicable) with subprocessors listed at https://meshx.uk/subprocessors.

Encryption and transport

  • Public access to the application uses HTTPS (TLS) in production.
  • Customer-facing Supabase and cloud storage endpoints are accessed over TLS. Object storage (Cloudflare R2) and database providers apply encryption at rest according to their platform standards.

Authentication and access control

  • Users sign in through Supabase Auth (email/password and supported providers as enabled).
  • Browser clients receive session tokens appropriate to the client; privileged server keys (for example service role keys, payment secrets, and AI API keys) are stored only in server environment variables and are not embedded in client-side bundles.
  • API routes validate the caller’s access token server-side before performing sensitive operations. We apply least-privilege principles for internal access to production systems.
  • Multi-factor authentication (MFA) may be offered or required as MeshX rolls out stricter account controls; check in-app settings for current options.

Logging and monitoring

  • We log application and infrastructure events needed for security, debugging, and audit.
  • We minimise sensitive personal data in logs. Access to production logs is restricted to authorised personnel.

Vulnerability management and updates

  • Dependencies and frameworks are updated on an ongoing basis as part of normal development.
  • Report suspected vulnerabilities to security@meshx.uk. We ask that you allow reasonable time for remediation before public disclosure.

Incident response

  • We maintain a process to detect, contain, and recover from security incidents affecting customer data.
  • Where required by law or contract, we will notify affected users and regulators without undue delay.

Data retention and deletion

  • Retention practices are described in our Privacy policy.
  • Users may request account or data deletion subject to legal and contractual retention requirements; contact addresses are listed in the Privacy policy.

Marketplace integrations

MeshX connects to third-party marketplaces only through documented APIs after user consent (OAuth). We do not request marketplace passwords. Data use is limited to providing enabled features; see the Privacy policy section on marketplace and TikTok Shop data.

This overview describes general practices and may be updated. It is not an exhaustive security specification and does not create contractual obligations beyond your agreement with MeshX. Independent certifications (for example SOC 2) are not claimed unless separately published.