We are committed to providing the industry's best security and privacy in all aspects of our products and services.
Macrometa has obtained a SOC 2 Type 2 certification for the Trust Criteria of Security and Availability. The SOC 2 report is available under NDA for Macrometa customers by request at email@example.com.
TECHNICAL SECURITY CONTROLS
Macrometa has implemented technical security controls across all aspects of its products and services
Secure Software Development
- All engineers are provided with secure development.
- Security reviews are part of the standard code review process.
- Security engineers mentor and advise the engineering team for continual improvement.
Automated Static Code Analysis
- Of source code using integration with best-in-class third-party tools.
- This process identifies security issues in Macrometa code.
- Findings are triaged and prioritized with JIRA tickets are created for engineers.
Automated and Manual Vulnerability Scans
- Of production and development environments using best-in-class third-party tools.
- This process identifies vulnerabilities in the environment and technology stack.
- Findings are triaged and prioritized and JIRA tickets are created for engineers.
- QA tests are created to confirm remediation in Test and Production environments.
- Macrometa has a dedicated white hacker on staff performing continuous penetration testing.
- Third-party penetration testing is performed annually.
- Change management processes are clearly defined and followed to guarantee that any changes to production are properly documented, approved and reviewed.
- Status page updates and customer notices are posted.
- No unauthorized changes are made to production or customer environments.
Scheduled Maintenance & Critical Patching
- Systems are scheduled for regular maintenance, software updates, and patching.
- Controlled processes exist for critical and emergency patching when required.
- Customers are notified of scheduled and emergency maintenance via agreed channels.
- All customer data is encrypted at rest.
- All customer data is encrypted in transit using TLS 1.2 or greater.
- No customer production data is copied or used in troubleshooting or test environments unless it is at the request of the customer.
- All production systems are required to run AV software.
VPN, Firewalls IDS and IPS
- Macrometa requires VPN to access production environments.
- Macrometa cloud environments are protected by firewalls following vendor-recommended configurations.
- Macrometa uses intelligent scanning and monitoring tools for intrusion detection and prevention.
Password Policy and MFA
- Macrometa’s password policy requires strong passwords that follow NIST 800-63b recommendations.
- VPN and SSO require multi-factor authentication (MFA).
- Customer approval workflows for access to production systems available.
ORGANIZATIONAL SECURITY CONTROLS
Macrometa has implemented organizational security controls across all aspects of its products and services. Organizational Controls include:
- International criminal and educational verification.
New Hire Onboarding Checks
- Employment Agreement.
- Employee Handbook.
- Confidentiality Agreement.
- Acceptable Use Policy.
- Annual Security Awareness Training.
- Access policy follows least-privilege controls.
- Access is only granted to required roles and approved by managers.
- Macrometa classifies information based on confidentiality to control access and sharing.
- Macrometa’s reviews potential vendors for security practices that will meet or exceed its internal and customer requirements.
- A risk assessment is performed as part of vendor reviews.
- Vendors that may act as subprocessors are required to have a Data Protection Agreement that will meet GDPR, CCPA and global privacy regulations.
Data Backups and Retention
- Macrometa’s infrastructure is architectured for high availability, using redundancy and backups to meet internal and external data retention requirements.
- Backups are daily, weekly and monthly based on requirements.
- Backups are tested regularly for correctness.
- Macrometa’s standard for incident response notifications is 48 hours.
- Macrometa’s incident response plans covers escalation processes, communication plans and customer notices.
Legal basis and legitimate interest
- Macrometa will only process personal data on a legal basis of legitimate interest.
- Macrometa will never access, use or process personal data uploaded by customers to Macrometa’s services.
- Macrometa may anonymize personal data from analytic data collected by its systems and services with the strict intent to:
- Improve its products and services.
- Provide monitoring of the health and availability of its service to meet customer SLAs.
- To bill its customers for services consumed.
- To provide recommendations to customers to improve their experience.
- To provide customer support.
Data Subject Access Requests
Macrometa customers may request a Data Protection Agreement and Standard Contractual Clauses.
We help make the impossible, profitable
Contact our sales team to learn how to get started with the Macrometa Global Data Network
- Learn about features and custom services
- Get pricing information
- Explore use cases for your team