Metronome is committed to security and keeping your data and your customer data safe. We adhere to industry-leading standards and consistently review our security practices to ensure we have the right systems, policies, and controls in place.
Our security practices are based on three fundamental principles:
- Principle of least privilege: No actor in Metronome has access to data or the ability to take actions until and unless that access has been explicitly granted. Access is controlled down to the field level.
- Zero trust architecture: Metronome has been built from day one with zero trust architecture. In practice, this means that any communication between two systems (or any actor and system) is authenticated.
- Taking one of the above examples, a user communicating with the Metronome data layer must make requests with a security token in their request. The data layer may service that request by calling other services that subsequently call other services or DBs, etc. The same security token must be passed on to each of these underlying calls, and each service in the stack uses the token to verify and grant the relevant access. Combined with the principle of least privilege, every single part of the Metronome product enforces that actors (human or system) can only access the most minimal data for their task.
- No access granted via long lived credentials or configuration: Because of Metronome’s zero trust architecture, almost no part of Metronome’s system depends on long lived API keys or other such static security tokens. Our AWS organization is set up in such a way that we have no long-lived AWS credentials on developer's machines. Developers must mint new credentials each day that last only 12 hours.
For the most detailed and up to date information on security at Metronome visit our security page. To request a copy of our SOC 2 report, please contact your Metronome representative.