← All docs
Getting started
Your first sessionThe workspaceSSH access
Core concepts
Agent rolesExperimentsResearch plansCanvasWorkflows
Integrations
GitHubWebhooksNotifications
Platform
Billing and plansAgent memoryMulti-chatKeyboard shortcuts
Reference
GPU catalogAgent toolsAPI referenceSecurityLimits and quotas
← Docs
Reference

Security

How Meshia handles your data

Your code and data live on an isolated GPU pod provisioned just for your session. Pods are single-tenant; no other user shares your machine. While the session is active, /workspace is backed by a per-session workspace volume. When you stop a session, Meshia releases compute and attempts to release that workspace volume too. Chat history, events, and exported artifacts persist in Meshia; raw workspace files persist only when Meshia explicitly retains a volume for recovery/resume.

Network isolation

Each pod runs in its own network namespace. Pods cannot communicate with each other. Inbound traffic is restricted to your authenticated session connection and SSH (if you've configured a key). Outbound traffic is unrestricted so your agent can download datasets, clone repos, and install packages.

Authentication

Meshia uses one-time 6-digit email codes for authentication. No passwords are stored. Session tokens expire after 30 days of inactivity. API keys (msh_ prefix) don't expire but can be revoked instantly from Settings > API.

Secrets management

If your workflow needs API keys (OpenAI, Hugging Face, Weights & Biases, etc.), add them in Settings > Environment. They're encrypted at rest with AES-256-GCM and synced to new and active pods through the authenticated pod channel. The agent can use them at runtime; values are scrubbed from chat and tool output and never shown after save.

The agent actively scans for secrets before committing code. If it detects an API key, password, or token in staged files, it refuses to commit and tells you what it found.

Git safety

All Git operations follow strict safety rails documented in the GitHub integration page. The short version: no force push, no merge to main, no destructive operations, no secrets in commits. These rules are enforced at the platform level and cannot be overridden.

Data retention

  • Workspace filesystem: released on normal stop; retained only when Meshia keeps a recovery volume for resume
  • Chat, terminal logs, and session events: retained with the session record
  • Experiment data (metrics, configs, artifacts): retained per your plan (30 days on Trial, unlimited on Pro)
  • Agent memory: retained until you delete it from Settings > Memory
  • Account data: retained until you delete your account. Email harsha@meshia.io to request full deletion.

SOC 2 and compliance

We're pre-SOC 2. If your organization requires compliance documentation, email harsha@meshia.io and we'll work through your security questionnaire directly.

← API referenceLimits and quotas →