06-08-2017 09:46 AM
Before we start using Meridian-based wayfinding in our sites, my CyberSecurity team is requiring a security review of Meridian. This is standard practice for us when an internal solution uses a third party for any aspect of the solution. One of the questions they've asked me is if any Personally Identifiable Information is sent to or stored in Meridian.
I know that Meridian must know about the mobile devices commuicating with it through the wayfinding app but I don't what specific information is transferred to Meridian from each device. Is it just a device MAC address, IMEI or other unique ID or is there more information, like user information or phone number?
Thank you in advance for helping me understand.
Solved! Go to Solution.
06-08-2017 10:05 AM
I'm the Meridian team's technical writer. We've had some questions about Meridian and personally identifiable information come up before, so I thought I'd take a little time to explain how all of this works.
In short: Meridian-powered apps do not send personally identifiable information to anyone, whether the Meridian server or a third-party.
Meridian-powered apps use Bluetooth signals generated from Aruba Beacons to calculate a user's current location and also to send notifications--what we call campaigns.
When Aruba Beacons are configured for proximity, they can either send a notification message to the end-user's device or send data along to a third-party server. These campaigns are configured by the Meridian administrator for a particular location. In some cases, for example, a Meridian-powered app may have a user login. A campaign could send that user ID to a third-party endpoint when that user enters a specific area in a location.
By default, though, when a campaign is triggered, no personally identifiable data is sent.
On iOS, the Meridian-powered app sends its identifierForVendor value. On Android, it sends its advertising ID. These are used for the purposes of cooldowns, so that a user doesn't continue to receive the same notification over and over again. These two values can't be used to personally identify someone.
I hope this helps answer your questions. If not, I'm happy to clarify anything that isn't clear.
For more information on this, please see documentation: