Encryption

How Meridian encrypts your data end-to-end

Meridian uses strong, modern encryption to ensure that your data remains private at every stage – on your device, in transit, and on the server.

End-to-End Encryption

All user data is encrypted on your device before being sent to the server using ChaCha20-Poly1305, a modern authenticated encryption algorithm. The server only stores encrypted blobs it cannot read. This means that even Meridian’s own infrastructure has no ability to access your information.

Key Management

Your encryption key is derived from your account and stored securely in macOS Keychain. It never leaves your device in plain form.

When you add a new device, keys are transferred securely via X25519 key exchange with QR code pairing. This ensures that your encryption keys move between your devices without ever passing through the server in a readable format.

What’s Encrypted

Meridian encrypts all of your personal data, including:

  • All emails, calendar events, contacts, tasks, and activities
  • OAuth tokens for connected accounts
  • AI embeddings and search indexes

What the Server Can See

A small amount of metadata is necessary for the service to function. The server can see:

  • Your login email
  • Which providers are connected (but not the account details)
  • Timestamps for sync ordering
  • Device tokens for push notifications

The server cannot see any message content, contact details, calendar event details, or OAuth tokens.

In Transit

All communication between your device and Meridian’s servers uses TLS encryption. Combined with end-to-end encryption, your data has double encryption while in transit – TLS protects the connection, and ChaCha20-Poly1305 protects the payload.

At Rest

Data on your device is protected by macOS system-level encryption (FileVault) in addition to Meridian’s own encryption layer.

Data on the server is stored as encrypted blobs that the server cannot decrypt. Even in the event of a server breach, your data remains unreadable.

Key Rotation

When you change your password, encryption keys are automatically rotated and all connected devices are notified to re-sync. This ensures that previous keys cannot be used to access your data going forward.

Next → Data Handling