Metal

Security and Privacy at Metal

We prioritize security across our products, infrastructure, and processes, providing you with the peace of mind that your data is protected.

Metal’s Security and Privacy teams build controls, ensure compliance, and validate standards through external audits.

Core Principles

Minimal Access Policy

Access limited to legitimate needs using least privilege

Security in Layers

Layered security controls follow a defense-in-depth approach

Unified Security Standards

Security controls must maintain uniformity across all enterprise domains.

Improve as You Go

Iterative controls improve effectiveness, auditability, and reduce friction

Data Protection

Data at Rest

Customer data stored across databases and S3 buckets is encrypted by default, with row-level encryption applied to sensitive records for an added layer of protection.

Data in Transit

All data transfers are secured with TLS 1.2+ encryption and modern transport protections, ensuring safe communication across external networks.

Secret Management

Encryption keys are managed through AWS KMS and securely stored in hardware security modules, preventing direct access while enabling protected operations.

Product Security

Static Analysis Testing

Static Analysis
Testing

Customer data stored across databases and S3 buckets is encrypted by default, with row-level encryption applied to sensitive records for an added layer of protection.

Software Composition Analysis

Software Composition
Analysis

All data transfers are secured with TLS 1.2+ encryption and modern transport protections, ensuring safe communication across external networks.

Malicious Dependancy Scanning

Malicious dependency scanning to prevent the introduction of malware into our software supply chain

Dynamic Analysis

Dynamic analysis (DAST) of running applications

Data Privacy

Data privacy is a top priority at Metal, and we remain deeply committed to responsibly safeguarding the sensitive information entrusted to us at all times.

Terms & Service