MetricsHub / Security
๐Ÿ”’ Enterprise Security

Your data security is our priority

MetricsHub is built with security-first architecture. Every layer โ€” from network ingress to storage โ€” is designed to protect your telemetry data.

Compliance & Certifications
Industry-standard certifications
We undergo rigorous independent audits to validate our security controls and provide our customers with assurance they can trust.
๐Ÿ›ก๏ธ
SOC 2 Type II
Security, Availability, Confidentiality trust service criteria
โœ“ Certified ยท Audit 2024
๐Ÿ‡ช๐Ÿ‡บ
GDPR Compliant
EU/UK data protection regulation โ€” Data Processing Agreements available
โœ“ DPA Available
๐Ÿ”
ISO 27001
Information Security Management System โ€” in certification progress
In Progress ยท Q3 2025
๐Ÿ’ณ
PCI DSS SAQ-A
Payment card data handled exclusively by Stripe โ€” out of scope for PCI
โœ“ Delegated to Stripe

Compliance reports and our current SOC 2 report are available to enterprise customers under NDA. Contact security@metricshub.io to request access.

Technical Controls
Defence-in-depth security architecture
Multiple overlapping security layers protect against threats at every tier of the platform.
๐Ÿ”

Encryption in Transit

All API endpoints enforce TLS 1.2 minimum; TLS 1.3 preferred. Weak cipher suites are disabled. Certificate pinning is supported in our mobile SDKs.

  • TLS 1.3 with ECDHE key exchange
  • HSTS preloading (max-age 63072000)
  • Certificate transparency logging enforced
  • Mutual TLS available for enterprise customers
๐Ÿ—„๏ธ

Encryption at Rest

All customer data is encrypted at rest using AES-256-GCM. Encryption keys are managed in AWS KMS with automatic rotation every 90 days.

  • AES-256-GCM for event and metric data
  • Envelope encryption via AWS KMS
  • Separate key hierarchies per customer (Enterprise)
  • Hardware Security Module (HSM) backed keys
๐Ÿ”‘

Authentication & Access Control

API keys are generated using cryptographically secure random bytes. Internal service-to-service auth uses short-lived mTLS certificates issued by a private CA.

  • API keys: 32-byte CSPRNG, bcrypt-hashed at rest
  • Developer portal: TOTP MFA supported
  • Internal access: least-privilege IAM roles
  • All admin actions audit-logged to immutable store
๐ŸŒ

Network Security

All ingest nodes sit behind Cloudflare's DDoS mitigation layer. Internal services communicate over isolated VPCs with security group rules that permit only required traffic.

  • Cloudflare Enterprise DDoS protection
  • AWS VPC with strict security groups
  • No SSH direct access; all ops via SSM Session Manager
  • Web Application Firewall (OWASP Top 10 ruleset)
๐Ÿ”

Monitoring & Threat Detection

All API requests, authentication events, and administrative actions are logged to a centralised SIEM. Anomaly detection alerts fire in real time for unusual patterns.

  • Centralised structured logging (90-day retention)
  • Real-time anomaly detection for API abuse
  • AWS GuardDuty for infrastructure threat detection
  • 24/7 on-call security operations
๐Ÿงช

Penetration Testing

We engage an independent security firm to conduct full-scope penetration tests of our API, infrastructure, and developer portal on a quarterly basis.

  • Quarterly external pen tests (full scope)
  • Annual red team exercise
  • Automated DAST scanning on every deployment
  • Dependency vulnerability scanning (Snyk, Trivy)
Independent Testing
Penetration test history
All tests conducted by independent third-party security firms. Summaries are available to enterprise customers on request.
Period Scope Firm Critical / High Findings Status
Q1 2025 (Feb) API Gateway, Auth, Portal NCC Group 0 Critical ยท 1 High (remediated) โœ“ Remediated
Q4 2024 (Nov) Infrastructure, VPC, Storage tier Cure53 0 Critical ยท 0 High โœ“ Clean
Q3 2024 (Aug) API Gateway, SDKs NCC Group 0 Critical ยท 2 High (remediated) โœ“ Remediated
Q2 2024 (May) Full scope + red team Bishop Fox 0 Critical ยท 0 High โœ“ Clean
Q1 2024 (Feb) API Gateway, Auth, Portal Cure53 1 Critical (remediated) ยท 1 High (remediated) โœ“ Remediated
Incident Response
How we respond to security incidents
Our Security Incident Response Plan (SIRP) defines clear escalation paths and communication timelines.
0โ€“15 min
Detection & Triage

Automated monitoring fires an alert. On-call engineer acknowledges and performs initial severity assessment using our CVSS-based triage matrix.

15โ€“60 min
Containment

Affected systems or API keys are isolated. If customer data is involved, a preliminary assessment of scope and impact is performed. Incident commander is assigned.

1โ€“4 hours
Customer Notification

If a data breach affecting customer data is confirmed, affected customers are notified within 4 hours of confirmation. Supervisory authorities are notified within 72 hours as required by GDPR Article 33.

24โ€“72 hours
Eradication & Recovery

Root cause is identified and eliminated. Systems are restored from known-good state. Monitoring is intensified for 7 days post-incident.

Post-incident
Post-Mortem & Disclosure

A full post-mortem report is completed within 5 business days. A public summary is published on our status page for incidents affecting service availability.

Responsible Disclosure
Report a vulnerability
We take all security reports seriously and respond promptly. If you've found a vulnerability in MetricsHub, please report it responsibly.

Responsible Disclosure Policy

MetricsHub operates a responsible disclosure programme. We ask that you:

  • Report findings to security@metricshub.io before public disclosure
  • Give us a reasonable time (typically 90 days) to investigate and remediate before disclosure
  • Not access, modify, or delete customer data beyond what is necessary to demonstrate the vulnerability
  • Not perform denial-of-service testing against our production infrastructure

What to include in your report: description of the issue, steps to reproduce, potential impact, and any proof-of-concept (redacted to avoid exposing sensitive data).

We will acknowledge all reports within 2 business days and provide a remediation timeline within 7 business days. We credit researchers in our security advisories with their permission.

PGP Public Key โ€” security@metricshub.io (fingerprint)
4A2E F891 C3D7 08B4 1F63   9E2A 7B80 D143 5C9F 2E17
B3A1 0C48 6E25 8D9F A721   4C8B 1E37 9A04 7F62 D3E5

Full PGP key available at: https://dev-metrics-hub.net/.well-known/security.txt

Security contacts

๐Ÿšจ Report a vulnerability

For responsible disclosure of security vulnerabilities in our platform or APIs.

security@metricshub.io

Response within 2 business days

๐Ÿ“‹ Compliance & DPA requests

Data Processing Agreements, SOC 2 reports, GDPR questionnaires, and compliance enquiries.

compliance@metricshub.io

Response within 3 business days