The Vault Protocol
The Vault Protocol is Meridian Research Institute's data security framework. It governs the collection, storage, access, and destruction of all research data, with particular emphasis on protecting staff respondents whose candid input is essential to research validity.
Core Principle
The Vault exists to create a protected space where research data can be collected, stored, and analyzed without exposing participants to attribution risk. Staff respondents must be able to report operational reality without concern that their responses will be visible to their employers. Organizations must be able to participate in research without concern that their internal practices will be publicly identified.
The Vault Protocol is not a marketing claim. It is an operational specification with documented controls, access restrictions, and verification procedures.
Data Classification
All data entering the Vault is classified into tiers that determine handling, access, and retention:
Contents: Interview recordings, original survey responses with any identifying metadata, organizational documents provided during research.
Access: Principal Researcher only.
Retention: Destroyed after anonymization and verification, per documented schedule.
Storage: Encrypted at rest and in transit; access logged.
Contents: Interview transcripts with identifiers removed, survey responses stripped of metadata, coded organizational profiles.
Access: Principal Researcher and authorized research assistants under confidentiality agreement.
Retention: Retained for analysis period and longitudinal comparison.
Storage: Encrypted; access logged; segregated from Tier 1.
Contents: Statistical summaries, pattern analyses, benchmark calculations—all meeting n≥3 aggregation threshold.
Access: Research team for verification; public upon publication.
Retention: Permanent archive as published research.
Storage: Standard secure storage; no special access restrictions after publication.
Access Controls
Access to Vault data is governed by role-based permissions with the principle of minimum necessary access:
| Role | Tier 1 Access | Tier 2 Access | Tier 3 Access |
|---|---|---|---|
| Principal Researcher | Full access | Full access | Full access |
| Research Assistant | No access | Task-specific access under supervision | Full access |
| Participating Organization (Leadership) | No access | No access to individual staff responses | Access to own positioning report and published aggregates |
| Public | No access | No access | Access to published findings only |
All access to Tier 1 and Tier 2 data is logged. Logs record who accessed what data, when, and for what documented purpose.
Staff Data Isolation
Staff survey responses receive the highest level of protection within the Vault. The following controls ensure that staff can report candidly without risk:
Isolation Guarantee
Individual staff responses are stored in a segregated data container that is never accessed by participating organizations. Leadership receives only aggregated data that has been processed through the cell size rule.
Specific Controls
- No name collection: Staff surveys do not collect respondent names
- No email linkage: Survey distribution does not create persistent links between email addresses and responses
- Role generalization: Role data is collected at category level only (e.g., "operations staff" rather than specific job titles)
- Free-text review: Open-ended responses are reviewed before analysis to remove inadvertent identifying information
- Cell size rule: No finding is reported for any subgroup smaller than three respondents
For Staff Survey Respondents
If you are completing a survey as part of this research, here is what you need to know:
Your individual responses will not be seen by your employer. Your responses will be combined with responses from staff at other organizations before any findings are produced. Nothing you report can be traced back to you. Your employer will receive only aggregate findings that reflect patterns across multiple organizations.
The Vault Protocol exists specifically to protect your ability to report operational reality without professional risk.
Encryption Standards
All data within the Vault is encrypted using current institutional standards:
- At rest: AES-256 encryption for stored data
- In transit: TLS 1.3 for all data transmission
- Backup: Encrypted backups with separate key management
Encryption keys are managed separately from encrypted data. Key access is limited to the Principal Researcher.
Retention and Destruction
Data retention follows the principle of minimum necessary duration:
| Data Type | Retention Period | Destruction Method |
|---|---|---|
| Interview recordings | Until transcription verified, maximum 90 days | Secure deletion with verification |
| Raw survey data | Until anonymization verified, maximum 60 days | Secure deletion with verification |
| Anonymized research datasets | Duration of research program plus 24 months | Secure deletion with verification |
| Published aggregated findings | Permanent | Not destroyed (public record) |
Destruction is verified through documented procedures that confirm data has been removed from all storage locations, including backups and any cached copies.
Breach Response
In the event of a suspected data breach, the following response protocol activates:
- Immediate: Isolate affected systems; suspend access pending investigation
- Within 24 hours: Assess scope and nature of breach; determine what data may have been exposed
- Within 72 hours: Notify affected participants if identifiable data may have been compromised
- Ongoing: Conduct root cause analysis; implement remediation; document incident and response
The Institute maintains incident response documentation that is reviewed and updated annually.
Verification and Audit
The Vault Protocol is not a static document. It is an operational system subject to verification:
- Access logs: Reviewed monthly for anomalies or unauthorized access attempts
- Encryption verification: Confirmed quarterly through system checks
- Destruction verification: Documented for each data destruction event
- Protocol review: Annual review of all Vault procedures for currency and effectiveness
Verification records are maintained and available for review by appropriate oversight bodies.
Questions and Concerns
Questions about the Vault Protocol or concerns about data handling may be directed to:
Meridian Research Institute
vault@meridianresearchinstitute.org
Staff respondents with concerns about the protection of their data may contact this address directly. All inquiries are handled confidentially.