Security and data privacy
Supermetrics is committed to the security of the data you process with us. To that end, we have created our systems from the ground up based on security and data protection best practices:
- We do not store the data that you load using our data integrations. At no time does your data ever enter a backup.
- We cache data for the time required for us to serve you in an efficient manner. In almost all cases, data remains in short-lived encrypted caches.
- While your data is on our systems or traveling between the data source and us or from us to you, the data is always strongly encrypted.
Contact firstname.lastname@example.org if you have any questions or comments.
Retention of customer processed data
All customer processed data exists as cached data in our systems. All caches are regularly invalidated with the timeline dictated by the design of the data source. In some cases caches may exist only for a few minutes and in some very rare cases, where we will tell you and obtain further consent, the caches may exist longer. Because we only ever cache the data, none of your processed data is ever stored to a backup. You can always fetch fresh data directly from the data source if the caches have been removed.
We do retain your customer access tokens in order to be able to fetch data at your request or your schedules. These credentials are securely stored encrypted. We may also retain data such as custom field metadata or account names and information where that data is required for the functionality of the data source integration.
Website, account management, and purchases
All connections to any of our services, our web portal, our account management system, and any purchases you make are encrypted by default using industry-standard cryptographic protocols (TLS 1.2+).
Any attempt to connect over an unencrypted channel (HTTP) is redirected to an encrypted channel (HTTPS).
Connections to customers’ data source APIs and systems as well as connections from Supermetrics to data destinations such as Google Sheets, Microsoft Excel, or data warehouses are SSL encrypted by default.
Where we need to connect to a customer’s own database, such connections are also strongly encrypted at the customer’s choice.
Data source permissions
Supermetrics requires customers to give access to read the data from data sources such as Facebook Ads and Google Ads APIs. Where possible, we will make use of OAuth access tokens. By this mechanism, the customer grants access to the data through the data source service and we receive a token by which we access and retrieve the data. You will have access to revoke the tokens both from Supermetrics login management as well as from the data source services themselves.
Supermetrics only ever requires the minimum amount of permission to read the data. We will only ever access your data on your instructions through our tools such as Supermetrics for Google Sheets or any automated scheduling that you have set up through Supermetrics. Where a data source gives us more than read-only access due to the nature of the data source, Supermetrics will never make use of those permissions.
We treat your tokens like passwords, they are strongly encrypted and never shared or logged.
Data destination permissions
Supermetrics will require various permissions based on the tools that you will use. For example, with Supermetrics for Google Sheets we will need access to read and write to your spreadsheets. We request the least amount of permissions that we need in order to provide you the service. Should the default permissions granted be more than we need, we will never make use of those permissions.
In some cases we provide multiple avenues to get data into your data destination. For example, we may provide tools to get data to your Google BigQuery where you will need to give us permissions to create schemas in your Google BigQuery database, however, you can also use our Google BigQuery Data Transfer Service Connectors where you do not need to give us such access at all. Please talk to our sales team for the best options for your organization and how we can help you.
We practice industry best practices including the use of hardened and customized server images, bastion hosts, different types of firewalls and multi-factor authentication. As a “data privacy first” organization we follow regular standards on enforcement of least privilege, monitoring and reviewing our IAM (identity and access management) policies and security roles.
We conduct annual third-party security audits of our application and systems. The reports of these tests may be obtained from us under NDA.
Physical and environmental safeguards
Supermetrics uses leading cloud providers to process your data. Google Cloud Platform and Amazon Web Services are our providers of choice and both organizations have excellent compliance and regulatory audits including SOC 1/2-3, PCI-DSS, and ISO27001.
Documents on Google Cloud Platform and Amazon Web Services certifications can be obtained directly from Google and Amazon respectively.
Supermetrics requires that all employees comply with security policies designed to keep any and all customer information safe, and address multiple security compliance standards, rules and regulations. We ensure that all employees are immediately trained on our security policies and at the very least annually conducted thereafter.
Two-factor authentication, VPNs, and strong password controls are required for administrative access to systems. All such policies are reviewed on a regular basis. Supermetrics has various change management and peer review practices in place within our software development life cycle to ensure best practices are followed.
GDPR, CCPA compliance, and data sovereignty
Supermetrics is compliant under both GDPR and CCPA. Your data is processed in the European Union. Any transfer to a third country is guaranteed under GDPR rules. However, we can go a step further and ensure that your data stays only within the EU. If you have further needs on data sovereignty, do not hesitate to contact us.