Security & trust

Recording people during a high-stakes moment is a responsibility. Here is exactly how candidate and company data is handled, including what is live today and what is still on the way. No marketing gloss.

Last updated 22 June 2026 · Questions: founders@meritan.team

Where code runs

Candidate code runs in the candidate's own browser: JavaScript and TypeScript in a sandboxed Web Worker, Python via WebAssembly. Meritan's servers compile and run nothing. The server only ever sees the shared document and the API calls, which keeps the attack surface small and means we are not executing untrusted code on our infrastructure.

Encryption

In transit: everything is served over HTTPS, and the realtime collaboration channel runs over secure WebSockets (WSS).
Passwords: hashed with scrypt and a per-user salt. We never store a password we could read.
Sensitive secrets at rest (e.g. GitHub tokens, SSO client secrets): encrypted with AES-GCM before they touch disk.

Isolation

The everyday Junction editor and Meritan are separate products on separate accounts. A Meritan session cannot reach Junction data or vice-versa. The boundary is enforced on the server for every request, not just hidden in the UI. Within Meritan, sessions and recordings are visible only to the hiring org that created them. Nothing is ever public.

Integrity, recorded honestly

Integrity signals (paste blocked, focus loss, large inserts) are written to the server as they happen, where the candidate cannot delete or edit them. They are an append-only record. Candidates always see and consent to what is recorded before they write a line. We do not claim to be "AI-proof"; we make cheating effortful and visible, and put the evidence in front of a human.

Your data is yours

Full data export LiveOwners can export every interview, integrity event, scorecard and replay as one JSON file, any time.

Audit log LiveEvery sensitive action (members, plan, settings, interviews, exports) is logged with who and when.

Retention controls LiveSet how long recordings live; after that they are deleted. Free 14 days, Team 1 year, Business configurable.

Deletion on request LiveRemove a candidate's data on request, on the retention schedule you set.

Application security

Session cookies are HttpOnly and SameSite, with an explicit server-side cross-origin (CSRF) check on every state-changing request.
Credential endpoints are rate-limited to slow brute-force attempts.
Role-based access (owner / interviewer / reviewer) is enforced server-side; viewers and candidates can never change what they are not allowed to.

On the roadmap

We would rather tell you plainly than imply we have something we don't:

SSO / SAML Rolling outPer-org OIDC is built at the foundation; the login flow is being finished and tested against real identity providers.

SOC 2 In progressWe are working toward SOC 2; we will not claim the report until it is issued.

Data residency Rolling outRegion pinning for regulated buyers.

ATS integrations Rolling outGreenhouse and Lever.

Responsible disclosure

Found something? Email founders@meritan.team and we will respond quickly. We appreciate good-faith reports and will credit you if you'd like.