Trust & Safety

Security at Metricty

How we protect your store data and keep your account safe.

๐Ÿ”’
TLS 1.3 Encryption
All data in transit is encrypted using TLS 1.3. We enforce HTTPS everywhere.
๐Ÿ—„
AES-256 at Rest
Your data is encrypted at rest using AES-256, the same standard used by banks.
๐Ÿ”‘
Zero Password Storage
We use Supabase Auth. Your password is never stored in plain text โ€” only a bcrypt hash.
๐Ÿ‘
Row Level Security
Supabase RLS ensures each user can only ever access their own data. No cross-contamination.
๐Ÿ”
Token Encryption
Integration tokens (Shopify, WooCommerce) are encrypted before storage.
๐Ÿ“‹
Audit Logging
Admin actions are logged with timestamps. We know who accessed what and when.
๐Ÿ—

Infrastructure Security

Metricty runs on DigitalOcean infrastructure in their NYC3 data center region:

  • Isolated servers: Our application runs on dedicated virtual machines with firewall rules restricting all unnecessary inbound traffic
  • Nginx reverse proxy: All traffic passes through Nginx with hardened security headers (HSTS, X-Frame-Options, CSP, XSS protection)
  • SSL/TLS: Certificates managed via Let's Encrypt with automatic renewal. HTTPS is enforced everywhere โ€” HTTP requests are redirected
  • Regular updates: OS and dependency security patches are applied promptly
  • Database: Hosted on Supabase (AWS us-east-1) with point-in-time recovery enabled
๐Ÿ”

Authentication & Access Control

  • JWT authentication: All API requests require a valid JSON Web Token issued by Supabase Auth
  • Short-lived tokens: Access tokens expire after 1 hour and are refreshed automatically
  • Row Level Security: Every database query is scoped to the authenticated user at the database level โ€” not just the application layer
  • Admin separation: Admin accounts are explicitly role-tagged. Admin routes require server-side role verification
  • Rate limiting: API endpoints are rate-limited to 100 requests per 15 minutes per IP to prevent brute force attacks
๐Ÿ”—

Integration Security

When you connect Shopify, WooCommerce, or ad platforms:

  • OAuth only: We use official OAuth flows โ€” we never ask for your store admin password
  • Minimal scopes: We request only read permissions on orders, products, and analytics. We cannot write to your store
  • Encrypted storage: Access tokens are encrypted before being stored in our database
  • Revocable: You can disconnect any integration at any time from your dashboard, which immediately invalidates our access
๐Ÿค–

AI & Data Processing

Your store data is used to generate your reports via Anthropic's Claude API:

  • We send only aggregated metrics (revenue, profit, orders, top products) to the AI โ€” not raw order data or customer PII
  • Anthropic's API is called over encrypted HTTPS
  • We have a data processing agreement with Anthropic
  • Your data is never used to train AI models
๐Ÿงช

Our Security Practices

  • No secrets in code: All API keys, database credentials, and secrets are stored as environment variables โ€” never hardcoded
  • Dependency scanning: We run regular dependency audits to catch vulnerable packages
  • Helmet.js: Security headers are enforced on every HTTP response including Content-Security-Policy, X-Frame-Options, and Referrer-Policy
  • Input validation: All user inputs are validated and sanitized server-side
  • Backups: Database backups run daily with 7-day retention
๐Ÿšจ

Vulnerability Disclosure

We take security reports seriously. If you discover a vulnerability in Metricty:

  • Email [email protected] with details
  • Include steps to reproduce and the potential impact
  • Give us reasonable time to investigate and fix before public disclosure
  • We will acknowledge your report within 48 hours

We appreciate responsible disclosure and will credit researchers who help improve our security.

Questions?

Security is a conversation,
not a checkbox.

If you have specific security requirements or questions about how we handle your data, we're happy to talk.

Email Security Team Read Privacy Policy