Security and data privacy

Supermetrics is committed to the security and privacy of the data you process with us. To that end, we have created our systems from the ground up based on security and privacy best practices:

  1. We undergo annual SOC 2 Type II audit.
  2. Our products are GDPR and CCPA compliant .
  3. We do not permanently store the data that you load using our data integrations. The data may be stored in temporary storage to ensure fast retrieval and reliable functionality.
  4. When using Custom Data Import or Storage services, we store your data in our databases which are encrypted at rest and access controlled.
  5. While your data is on our systems or traveling between the data source and us or from us to you, the data is always strongly encrypted.

Contact  security@supermetrics.com  if you have any questions or comments.

Retention of customer processed data

When using Connectors to retrieve data, customer's processed data exists in temporary storage in our systems. Temporary storage purges depend on and vary by functionalities of the data source. You can always fetch fresh data directly from the data source if the data has been removed from the temporary storage.

We retain your customer access tokens in order to be able to fetch data at your request or your schedule. These credentials are securely stored encrypted. We may also retain data such as custom field metadata or account names and information where that data is required for the functionality of the data source integration.

When using Custom Data Import or Storage services you are in control of the retention of the data you store in our platform.

Please see our  Terms of Service  and  Privacy Policy  for more details.

Website, account management, and purchases

All connections to any of our services, our web portal, our account management system, and any purchases you make are encrypted by default using industry-standard cryptographic protocols (TLS 1.2+).

Any attempt to connect over an unencrypted channel (HTTP) is redirected to an encrypted channel (HTTPS).

Connectors

Connections to customers’ data source APIs and systems as well as connections from Supermetrics to data destinations such as Google Sheets, Microsoft Excel, or data warehouses are TLS encrypted by default.

Where we need to connect to a customer’s own database, such connections are also strongly encrypted at the customer’s choice.

Permissions

Data source permissions

Supermetrics requires customers to give access to read the data from data sources such as Facebook Ads and Google Ads APIs. Where possible, we will make use of OAuth access tokens. By this mechanism, the customer grants access to the data through the data source service and we receive a token by which we access and retrieve the data. You will have access to revoke the tokens both from Supermetrics login management as well as from the data source services themselves.

Supermetrics only ever requires the minimum amount of permission to read the data. We will only ever access your data on your instructions through our tools such as Supermetrics for Google Sheets or any automated scheduling that you have set up through Supermetrics. Where a data source gives us more than read-only access due to the nature of the data source, Supermetrics will never make use of those permissions.

Data destination permissions

Supermetrics will require various permissions based on the tools that you will use. For example, with Supermetrics for Google Sheets, we will need access to read and write to your spreadsheets. We request the least amount of permissions that we need in order to provide you the service. Should the default permissions granted be more than we need, we will never make use of those permissions.

In some cases, we provide multiple avenues to get data into your data destination. For example, we may provide tools to get data to your Google BigQuery where you will need to give us permissions to create schemas in your Google BigQuery database, however, you can also use our Google BigQuery Data Transfer Service Connectors where you do not need to give us such access at all. Please talk to our sales team about the best options for your organization and how we can help you.

Platform infrastructure

We practice industry best practices including the use of hardened and customized server images, bastion hosts, different types of firewalls, and multi-factor authentication. As a “data privacy first” organization we follow best practices on enforcement of least privilege, monitoring and reviewing our access control policies and privileged access.

We conduct annual third-party security audits of our application and systems. The reports of these tests may be obtained from us under NDA. Please create a support ticket if you are interested in reviewing our audit reports.

Physical and environmental safeguards

Supermetrics uses leading cloud providers to process your data. Google Cloud Platform and Amazon Web Services are our providers of choice and both organizations have excellent compliance and regulatory audits including SOC 1/2-3, PCI-DSS, and ISO27001.

Documents on Google Cloud Platform and Amazon Web Services certifications can be obtained directly from Google and Amazon respectively.

Company policies

Supermetrics requires that all employees comply with policies designed to keep any and all customer information safe. We ensure that all new employees are immediately trained on our policies and information security, and annually conducted thereafter.

Two-factor authentication, VPNs, and strong passwords are required for administrative access to systems. All such policies are reviewed on a regular basis. Our software development life cycle includes multiple controls to ensure security best practices are followed, including vulnerability management, change management etc.

GDPR, CCPA and data sovereignty

Supermetrics is compliant under both GDPR and CCPA. Your data is processed on AWS and GCP servers in the EU. Our sub-processors may transfer or process personal data outside the EU/EEA. When personal data is transferred or processed outside the EU/EEA, we ensure that the data is transferred by using the EU Commission’s Standard Contractual Clauses or by other appropriate safeguards as described in Article 46 of the GDPR. If you have further questions on data sovereignty, do not hesitate to contact us.

For more information, please see our  Data Processing Agreement  (as part of our  Terms of Service ),  Privacy Policy  and our  Sub-processor list.