Meshless logomeshless
DocsPricingChangelogContactWaitlist
Sign inGet Early Access
Join Beta
Meshless logomeshless

Theft-proof 360° viewers for e-commerce. Built for engineers who care about LCP.

All systems normal · v0.0.1

Product

  • Overview
  • Pricing
  • Changelog
  • Roadmap

Developers

  • Docs
  • API reference
  • Status

Company

  • About
  • Waitlist
  • Contact

Legal

  • Terms
  • Privacy
  • Security
  • DPA
© 2026 Meshless, Inc.v0.0.1

Security

Last updated: May 14, 2026

Security is a core part of Meshless — not an afterthought. Our platform is built for teams that ship high-value 3D assets and need to know exactly how their data is protected.

Encryption

At rest. Every .glb and .gltf file you upload is encrypted with AES-256 before it touches our storage layer. Encryption keys are managed per-account and rotated annually.

In transit. All connections to Meshless — the dashboard, API, and CDN — are served over TLS 1.3. We enforce HSTS with a one-year max-age and include subdomains.

Rendered frames. WebP frame sequences are distributed via signed CDN URLs with configurable expiry. Unsigned direct access to frame URLs is rejected at the edge.

Model Protection

The .glb format embeds full geometry data, making it trivially extractable from browser DevTools. Meshless never exposes raw model files to the browser. The rendering pipeline runs server-side; only the resulting WebP images are delivered to end users.

This means:

  • No .glb in browser network requests
  • No raw geometry in JavaScript memory
  • No way to reconstruct the model from CDN output

Infrastructure

  • Hosted on AWS (us-east-1, eu-west-1)
  • All S3 buckets are private with no public ACLs
  • IAM roles follow least-privilege; no wildcard permissions in production
  • VPC with private subnets for all compute; public-facing load balancers only
  • CloudTrail audit logging enabled on all accounts

Access Control

  • Employee access to production systems requires hardware MFA (YubiKey)
  • Production database access is audited and requires a time-limited break-glass procedure
  • Customer data is logically isolated per account; no cross-account queries are possible
  • Support staff access customer account metadata only, never raw file contents

Vulnerability Disclosure

We operate a responsible disclosure program. If you discover a security vulnerability in Meshless, please report it to:

security@meshless.io

Include a description of the vulnerability, steps to reproduce, and your contact information. We commit to:

  • Acknowledging receipt within 48 hours
  • Providing an initial assessment within 5 business days
  • Keeping you informed of remediation progress
  • Crediting you in our disclosure notes (unless you prefer otherwise)

Please do not disclose the vulnerability publicly until we have had a reasonable opportunity to remediate it.

Compliance

FrameworkStatus
SOC 2 Type IIIn progress (expected Q4 2026)
GDPRCompliant — DPA available
CCPACompliant
ISO 27001Planned

For enterprise security questionnaires or compliance documentation, contact security@meshless.io.

Penetration Testing

Meshless undergoes annual third-party penetration tests. Summaries of findings and remediation status are available to Enterprise customers under NDA.