Security

Last updated: 20 February 2026 · Lab81 Ltd trading as MerakiGuard

1. Our Approach

MerakiGuard is a compliance auditing tool — security is foundational to everything we build. We understand that you are trusting us with access to your network infrastructure, and we take that responsibility seriously.

This page describes the technical and organisational measures we use to protect your data, credentials, and network configurations.

2. Read-Only by Design

MerakiGuard connects to the Cisco Meraki Dashboard API in read-only mode. We only use API endpoints that retrieve configuration data — we never make changes to your network devices, policies, or settings.

We recommend creating a dedicated read-only API key in your Meraki Dashboard specifically for MerakiGuard. This follows the principle of least privilege and ensures MerakiGuard can never modify your network, even in the event of a compromise.

3. Credential Protection

3.1 Meraki API Keys

Your Meraki Dashboard API keys are encrypted at rest using Fernet symmetric encryption (AES-128-CBC with HMAC-SHA256 authentication). Keys are only decrypted momentarily in memory during scan operations to authenticate with the Meraki API. They are never stored in plaintext, logged, or exposed in any API response.

3.2 Passwords

User passwords are hashed using bcrypt with a cost factor of 12. We never store, log, or transmit passwords in plaintext. Bcrypt is a deliberately slow, salted hashing algorithm designed to resist brute-force and rainbow table attacks.

3.3 Authentication Tokens

Sessions are managed via JSON Web Tokens (JWT) with configurable expiration. Tokens are signed with a server-side secret and validated on every request. No session data is stored in cookies beyond the JWT itself.

4. Data Isolation

MerakiGuard is a multi-tenant platform with strict data isolation:

  • Row-level isolation — every database record is scoped to a user ID. Queries are filtered at the application layer to ensure users can only access their own data.
  • No cross-tenant access — there is no mechanism for one user to view, modify, or interact with another user's organisations, scans, or results.
  • Scoped API keys — each Meraki API key is associated with a specific organisation record owned by a specific user.

5. Encryption in Transit

All communication between your browser and MerakiGuard is encrypted using HTTPS/TLS. We enforce TLS for all connections — plaintext HTTP requests are redirected to HTTPS.

Communication between MerakiGuard and the Cisco Meraki Dashboard API is also conducted exclusively over HTTPS.

6. Infrastructure Security

Layer Measure
Reverse proxy Traefik with automatic Let's Encrypt TLS certificate provisioning and renewal
Application Containerised services (Docker) with minimal base images and no root processes
Database PostgreSQL with credentials managed via environment variables, not accessible from the public internet
Secrets All secrets (JWT signing key, Fernet encryption key, database credentials, Stripe keys) injected via environment variables — never committed to source control
Network Internal services communicate over a private Docker network; only the reverse proxy is publicly exposed

7. Payment Security

All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. MerakiGuard never receives, processes, or stores your full credit card number, CVV, or other sensitive payment card data.

We store only the Stripe customer ID and subscription ID necessary to manage your subscription lifecycle.

8. Data Minimisation

We follow the principle of data minimisation:

  • We only collect data that is necessary to provide the Service
  • Network configuration snapshots contain only the settings needed for compliance checks — no traffic data, user data, or client device information is collected
  • We do not use analytics cookies, tracking pixels, or advertising SDKs
  • Server logs are retained for a maximum of 90 days

9. Incident Response

In the event of a security incident that affects your personal data, we will:

  1. Investigate and contain the incident as quickly as possible
  2. Notify the Information Commissioner's Office (ICO) within 72 hours where required under UK GDPR
  3. Notify affected users without undue delay, providing details of the incident and steps being taken
  4. Conduct a post-incident review and implement additional safeguards as needed

10. Responsible Disclosure

If you discover a security vulnerability in MerakiGuard, we encourage you to report it responsibly. Please email us at hello@lab81.io with details of the vulnerability.

We ask that you:

  • Do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it
  • Do not access or modify other users' data
  • Provide sufficient detail for us to reproduce and fix the issue

We will acknowledge receipt of your report within 48 hours and keep you informed of our progress.

11. Questions

If you have any questions about our security practices or would like to request further information, please contact us:

Lab81 Ltd (trading as MerakiGuard)
Email: hello@lab81.io