Metamarkets customers entrust us with sensitive, confidential business data, and we are committed to providing the strongest available security for that data.
Effective security is characterized not only by adherence to certain industry standards, but also by implementing multiple levels and types of protection. This page explains how Metamarkets effectively protects customers using best practices, multiple levels of control, and complementary types of security mechanisms. It also lays out what customers can do to further enhance the security of their data.
Your data is stored on Amazon AWS, a certified world-class secure environment that meets the strictest requirements set by government agencies such as DoD and standards bodies such as ISO. You can read more about Amazon security here.
You own and control your S3 bucket. Metamarkets provides you with a custom S3 policy for that bucket to ensure that only you and Metamarkets can access the data within. This keeps your data private and segregated from other users’ data.
Metamarkets uses your data only to generate the analytics that we provide you as a service, and to discover ways to optimize and improve that service. Your data is accessed only by Metamarkets employees who require it in order to provide you with that service.
Once your data is processed by Metamarkets, it is retained only for as long as needed to provide you with contracted services or for as long as mandated by our contract with you. After such requirements expire, your data is permanently deleted and can no longer be viewed.
Secure Connections and Data Transfer
Securely transferring your data to Metamarkets is critically important. HTTPS (encrypted) connections should be used when you upload files to your Amazon S3 buckets. If you use our dashboard for real-time analytics, HTTPS is required for you to stream real-time data to our HTTP endpoints.
HTTPS is also required to connect to your Metamarkets dashboard, where you view the information generated from your data. To provide an additional layer of security, we use an extended Validation SSL certificate for HTTPS connections to the dashboard. This type of certificate provides better authentication guarantees when you connect the dashboard.
Your data is accessed and processed by Metamarkets entirely within the AWS environment, continuing to benefit from the security built into the AWS infrastructure.
We take the AAA approach to application security. Authentication, authorization, and accounting is an approach to security that implements control and tracking of access:
- Authentication – Users must authenticate before being able to view company dashboards. Administrators can disable users and change which company dashboards those users can view, and even mimic a user’s account to confirm that user’s view.
- Authorization – Users are restricted to dashboards with specific data sources, and cannot change the configuration of data sources. This ensures that users can view only the information intended for them. Non-administrative users are limited to making changes to their own accounts, but their view of dashboards cannot exceed the scope set by an administrator.
- Accounting – Logs track access and usage, allowing for auditing and tracing.
We enforce a requirement for minimum password length on all of your accounts. All user account passwords are one-way encrypted and not viewable by Metamarkets personnel.
Static security measures can become outdated and vulnerable. To maintain the effectiveness of our security posture, we:
- Perform regular reviews of our security policies;
- Proactively evaluate, patch, update, and upgrade our software and hardware infrastructure;
- Use penetration testing to simulate attacks to discover and fix vulnerabilities;
- Contract third-party security professionals to audit our security practices.
What You Can Do Now
Our customers are confident that they can trust their data to Metamarkets. Security, however, is a shared responsibility. The following are steps you should take to ensure that your data remains secure and that access to your dashboards is limited to authorized users:
- Report security issues immediately. Designed using a “failure containment” approach, our systems detect and contain failures quickly, preventing or limiting potential damage. However, some issues may become apparent to you first, and your timely reporting to Metamarkets will be key to us resolving these quickly. If you suspect or experience a security issue, immediately contact your Metamarkets Account Manager.
- Control access to your S3 buckets. If you share access to your S3 buckets, you share your data. Use the S3 bucket policy provided by Metamarkets to ensure proper access.
- Restrict access to dashboard administrator accounts to users who should have administrative rights. Since administrators have a wide range of capabilities with regards to granting and controlling access, these accounts should be available only to trusted personnel.
- Strongly encourage all users, especially administrators, to:
- set a password that is difficult to guess,
- keep that password in a secure place,
- and change that password on a regular basis.
- Check user lists regularly. Personnel who should no longer have access the dashboard must have their accounts disabled.
- Embedded dashboards should be set up according to Metamarkets instructions. Users of an embedded dashboard log in to your portal first before their access to the dashboard is verified. Ensure that your user database is up to date with respect to the embedded dashboard.
Metamarkets thoroughly investigates all reported security vulnerabilities in any aspect of our service. If you discover a security vulnerability in the Metamarkets service, or have a concern about a security issue, report it immediately to firstname.lastname@example.org. We will respond to your report within 24 hours and inform you of next steps.
So that we may more effectively respond to your report, please provide supporting material to help us understand the nature and severity of the vulnerability. We will treat any information you share with us as confidential. It will not be shared with third parties without your permission.
Metamarkets will work to resolve the reported issue and eliminate any risks as soon as possible. We will communicate with you regarding our progress and inform you of the issue’s resolution.
While we are researching the reported issue, we request that you not post or share any information about a potential vulnerability in any public setting. Once we have addressed the reported vulnerability and eliminated its associated risks, we will inform all affected parties and make appropriate public announcements as necessary. Should any data that does not belong to you come into your possession as a result of the reported vulnerability, never post or share it except with Metamarkets.