Security

Last updated: June 15, 2026

Security is not an afterthought at Meshless—it is the foundation of our product. We built this platform for enterprise teams who demand zero-latency 3D experiences without sacrificing intellectual property.

Theft-Proof 3D Architecture (Core Protection)

The .glb and .gltf formats embed full geometry data, making them trivially extractable from browser DevTools. Meshless never exposes raw model files to the browser. Our rendering pipeline processes your assets server-side, delivering only optimized WebP image sequences to the end user.

This guarantees:

  • No .glb payloads in browser network requests.
  • No raw geometry in JavaScript memory.
  • Zero possibility of reverse-engineering or downloading your proprietary 3D models.

Infrastructure & Edge Security

We utilize a modern, edge-optimized infrastructure designed for global scale and resilience.

  • Cloudflare Edge Network: All incoming traffic is routed through Cloudflare, providing enterprise-grade DDoS mitigation, WAF (Web Application Firewall), and bot protection (Turnstile).
  • Storage Isolation: Raw assets are securely stored in Cloudflare R2 buckets with strict programmatic access controls.
  • Network Encryption: All connections to the Meshless API, Dashboard, and CDN are enforced over TLS 1.3 via automated reverse proxy architecture (Caddy). We enforce strict HSTS (max-age=31536000; includeSubDomains; preload).

Embedding Security (Iframe Domain-Lock)

To deliver zero-latency experiences for e-commerce, we do not use heavy, performance-degrading signed URLs. Instead, we secure your assets using Strict Content Security Policy (CSP).

  • Frame-Ancestors Enforcement: Your 360-degree viewers can only be embedded on domains you explicitly authorize in your Meshless Dashboard.
  • Unauthorized Rejection: If a malicious actor attempts to embed your viewer on an unauthorized third-party site, the browser natively blocks the request.

Access Control & Audit Logs

  • Identity Provider: User authentication, session management, and JWT validations are securely handled by Clerk.
  • Role-Based Access Control (RBAC): Customer data is logically isolated at the database level. Tenant boundaries are strictly enforced by our Minimal API layer.
  • Hybrid Transparency (Audit Logging): For enterprise support, Meshless administrators can securely impersonate workspaces to troubleshoot issues. These actions are never hidden. Every critical admin action is explicitly recorded and badged in your dashboard's Audit Log for complete transparency.

Vulnerability Disclosure

We operate a responsible disclosure program. If you discover a security vulnerability, please report it to:

security@meshless.io

We commit to acknowledging receipt within 48 hours, providing an initial assessment within 5 business days, and keeping you informed of remediation progress. Please do not disclose vulnerabilities publicly until we have remediated them.

Compliance

Compliance & Privacy

FrameworkStatus
GDPRCompliant (Right to erasure, data portability supported)
CCPACompliant (No sale of personal data)
Enterprise AuditsAvailable via Security Questionnaires

For enterprise security questionnaires or custom IT architecture reviews, please contact your account manager or email security@meshless.io.