Security at Metadata

A security-first mindset rooted in our core value of trust

“The security and privacy of our customers' data assets are vital. As the Chief Information Security Officer for Metadata, it is my responsibility to protect the integrity of the metadata platform, and the data and assets you entrust to us. With Metadata, you can focus on marketing, knowing your data is secure and as your partner, adhering to the most rigorous privacy regulations.”

SOC 2 Type II Report

We have assessed and audited our security as set forth in TSP section 100, 2017 Trust Services Criteria developed by the Assurance Services Executive Committee (ASEC) of the AICPA. The Trust Services Criteria is a set of control criteria to be used when evaluating the suitability of the design and operating effectiveness of controls relevant to the security, availability, or processing integrity of information and systems and the confidentiality or privacy of the information processed by Metadata. 

We maintain a SOC 2 Type II report, which is designed to certify that the controls we maintain meet a high level of security. Our SOC 2 Type II report is available to all customers at any time.

Security, Trust, Privacy

These are the foundational principles the Metadata platform was created from and the principles throughout every aspect of our business. Metadata has engaged independent experts and third parties to verify our security, privacy, and compliance controls, and has achieved related certifications.

Stringent Security Controls

Metadata monitors hundreds of internal and external security controls across our organization using a centralized automation and compliance management platform. Automated alerts and evidence collection are designed to allow Metadata to verify its security and compliance posture on an ongoing basis while fostering a security-first mindset and culture of compliance across the organization. 

  • 3rd Party Penetration Testing
    Metadata completes annual 3rd party penetration testing by a qualified 3rd party assessor. Summaries of these reports are available to any Metadata client who requests them.
  • Phishing Testing
    We have simulated phishing exercises with all worldwide staff using realistic phishing emails and methods. Employees are required to retrain should they fall victim to a simulated phishing attack and all staff are encouraged to submit suspicious emails and other phishing attempts to an internal system which monitors attempts to compromise our platform through social engineering methods.
  • Annual Security Training
    We’ve partnered with a security awareness and training company that covers dozens of major topics for our employee training. Every new employee and contractor is required to take this training. As the threat landscape for companies is ever changing, new training is assigned to all staff periodically which covers new and relevant topics.
  • Secure by Design
    We strive to adhere to the principle of least privilege when connecting to customers’ environments and to scope our access to only what’s reasonably needed to satisfy the needs at any given point of customers. We log this activity and monitor it for compliance with internal controls.

Data Security, Privacy And Compliance

SOC 2 Type II

Metadata has achieved a SOC 2 Type II certification in relation to our information security program. As well as providing clients with our SOC 2 Type II attestation, we also provide clients access to our real time compliance monitoring platform which performs ongoing monitoring of the controls found in our SOC 2 Type II report so at any time, a customer may view information with regard to our compliance and security posture in real time.

General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA)

At Metadata, we are strong supporters of privacy and we have implemented policies and procedures designed to adhere to the GDPR (i.e. the General Data Protection Regulation 2016/679 (EU GDPR) and the EU GDPR as it forms part of UK law (UK GDPR)), CCPA, and other privacy regulations. For example, when we act as a “processor” (e.g., when we handle personal data provided by our customers) under the GDPR, we will enter into a data processing agreement (DPA) with our customers which will include data transfer mechanisms designed to appropriately safeguard personal data that we transfer outside of the EEA and/or UK as required by the GDPR.


Web Application and Next Generation Firewalls

Metadata uses a Web Application Firewall (WAFs) coupled with Next Generation Firewalls (NGFW) designed to block against the latest threats spotted around the world.


A minimum of Transport Layer Security (TLS) version 1.2 for data in transit and encryption at rest is used through all instances and confidential and secure networks. AES 256 is used to encrypt data at rest within our platform to assist with the protection of confidential customer data.


Metadata makes use of trusted third party tools and platforms in an effort to protect its infrastructure, including to help ensure that only quality code is committed and released to production and that malicious modifications to our code are not introduced into production. Code merges undergo a static code analysis check prior to the code being merged to the main, which is designed to identify vulnerabilities in real-time.

Third Party Library Scanning

We regularly scan all of our libraries to help ensure we do not have vulnerable libraries in the codebase and monitor our codebase against the National Vulnerability Database in the U.S. National Institute of Standards and Technology (NIST) (among others) and alerts to relevant threats are sent to our Security Operations and Engineering Teams.

Credential Checking

We scan our codebase to help ensure that credentials are not accidentally merged into code.

Peer Reviewed Merges

Along with our two-approver requirement, all code is peer-reviewed by a Senior Engineer before being merged to the main and released to production.


Mobile Device Management

All of our devices are centrally managed with policies around security, patching, and encryption enforced.

Endpoint Detection Response

Metadata uses technologies designed to ensure endpoint security, including antivirus and antimalware tools intended to identify and respond to potential threats. These technologies go beyond anti-virus and use endpoint protection and response tools in an effort to detect malicious activating and the chain of events which may lead up to a security event.