Security and Privacy at Metal

We prioritize security across our products, infrastructure, and processes, providing you with the peace of mind that your data is protected.

Security and Privacy teams at Metal crafts policies and controls, ensures adherence to these measures, and prove our security and compliance to 
external auditors.

Our policies are based on the following foundational principles:

Grant access solely to those with legitimate business needs, following the principle of least privilege.

Adopting a defense-in-depth approach, security controls should be implemented in layered fashion.

Security controls must maintain uniformity across all enterprise domains.

Iterative control implementation aims for enhanced effectiveness, auditability, and reduced friction.

Data Protection

how card icon

Data at Rest

At rest, all customer data residing in datastores and S3 buckets is encrypted. Furthermore, row-level encryption is employed for sensitive collections and tables, guaranteeing that data remains encrypted even before it reaches the database. This multilayered encryption approach ensures that access to either the physical infrastructure or the database itself is insufficient to access highly sensitive information.

how card icon

Data in Transit

Metal ensures the use of TLS 1.2 or higher protocols for all data transmissions over potentially insecure networks. Additionally, security measures like HSTS (HTTP Strict Transport Security) are employed to maximize data security in transit. Server TLS keys and certificates are managed by AWS and deployed through Application Load Balancers, further enhancing security.

how card icon

Secret Management

Encryption keys are meticulously managed within Metal using the AWS Key Management System (KMS). Key material is securely stored within Hardware Security Modules (HSMs), ensuring no direct access by any individuals, including both Amazon and Metal employees. These keys, residing within HSMs, are utilized for encryption and decryption tasks through Amazon's KMS APIs.

Product Security

Vulnerability Scanning

Metal requires vulnerability scanning at key stages of our Secure Development Lifecycle (SDLC):

Static Analysis Testing

Static analysis (SAST) testing 
of code during pull requests
and on an ongoing basis

Software Composition Analysis

Software composition analysis (SCA) 
to identify known vulnerabilities in 
our software supply chain

Malicious Dependancy

Malicious dependency scanning 
to prevent the introduction of 
malware into our software supply 

Dynamic Analysis

Dynamic analysis (DAST)
 of running applications

Data Privacy

Ensuring data privacy takes precedence at Metal — we are steadfast in our commitment to being responsible custodians of sensitive data.

card icon

Privacy Policy

View Metal’s Privacy Policy.
card icon

Terms of Service

View Metal’s Terms of Service.