Security & Trust Center
Full transparency on security and compliance · Last updated February 25, 2026
Certification status
Last updated February 25, 2026
GDPR
All obligations of the European regulation on personal data protection are met.
EU hosting · DPA signed · Art. 15-22 implemented · privacy@metrikia.io
CASA Tier 2
Cloud Application Security Assessment required by Google for restricted OAuth scope auth/adwords access.
OWASP ASVS 4.0 · 50+ controls verified · Feb 2026
Infrastructure DPA
Data Processing Agreement with Railway (EU host), compliant with GDPR Article 28.
DocuSign · EU SCCs Module 2 · Signed 2026-02-24
SOC 2 Type II
Trust Service Criteria certification (Security, Availability, Confidentiality) per AICPA.
~87% of controls in place · Roadmap Q4 2026
Security architecture
Technical controls in place on every layer of the application.
End-to-end encryption
Data at rest encrypted via libsodium XSalsa20-Poly1305 (AES-256 equivalent). Transit encrypted TLS 1.3.
Strong authentication
JWT 15 minutes (RS256), HTTP-only cookie refresh tokens, mandatory MFA/TOTP for administrators.
Multi-tenant isolation
Doctrine TenantFilter ensures each tenant only sees their own data. Zero cross-account leakage.
OAuth token revocation
On logout, OAuth tokens are revoked provider-side (Google RFC 7009, Meta Graph API, TikTok).
Security Headers
HSTS, strict CSP, X-Frame-Options, CORS, X-Content-Type-Options on all API and frontend endpoints.
CI/CD Security
Trivy (CVE scanning), Dependabot (dependencies), PHPStan Level 8, npm audit. Verified on every deployment.
Daily backups
PostgreSQL backed up daily via Railway. RPO 24h, RTO ~30 min (Git redeploy).
Monitoring & Alerts
Sentry (errors + tracing), Messenger metrics, Docker healthchecks, Cron monitoring on 7 commands.
Sub-processors
Comprehensive list of third parties with access to processing data.
| Sub-processor | Purpose | Region | Safeguards |
|---|---|---|---|
| Railway | PaaS Infrastructure (API, DB, Workers) | EU West — Amsterdam (NL) | DPA signed · EU SCCs Module 2 |
| Meta Platforms | Meta Ads advertising data | USA → EU | EU SCCs |
| Google LLC | Google Ads + Analytics advertising data | USA → EU | EU SCCs |
| TikTok Pte. Ltd. | TikTok Ads advertising data | Singapour → EU | EU SCCs |
| Stripe, Inc. | Payment processing | USA → EU | EU SCCs |
| Sentry (Functional Software) | Error and performance monitoring | USA → EU | EU SCCs |
| Anthropic, PBC | Diana AI (customer support) | USA → EU | EU SCCs · Anonymized data |
Any changes to the sub-processor list are notified to customers with 30 days advance notice.
Responsible disclosure
If you identify a security vulnerability in Metrikia, we invite you to report it responsibly. We commit to responding within 48 business hours and fixing critical vulnerabilities within 7 days.
Resources & Documents
NDA Documents & Reports
Access confidential technical documents via our secure Trust Center.