Security and data privacy
Supermetrics is committed to the security of the data you process with us. To that end, we have created our systems from the ground up based on security and data protection best practices:
- Our processes have been audited by external auditors and Supermetrics is SOC 2 Type II, GDPR, and CCPA compliant. The full SOC 2 Type II report can be provided to enterprise customers under NDA through our sales team.
- We do not permanently store the data that you load using our data integrations. At no time does your data ever enter a backup.
- We cache data for the time required for us to serve you in an efficient manner. In almost all cases, data remains in short-lived encrypted caches.
- While your data is on our systems or traveling between the data source and us or from us to you, the data is always strongly encrypted.
Contact firstname.lastname@example.org if you have any questions or comments.
Retention of customer processed data
All customer processed data exists as cached data in our systems. All caches are regularly invalidated with the timeline dictated by the design of the data source. In some cases, caches may exist only for a few minutes and in some very rare cases, where we will tell you and obtain further consent, the caches may exist longer. Because we only ever cache the data, none of your processed data is ever stored to a backup. You can always fetch fresh data directly from the data source if the caches have been removed.
We do retain your customer access tokens in order to be able to fetch data at your request or your schedule. These credentials are securely stored encrypted. We may also retain data such as custom field metadata or account names and information where that data is required for the functionality of the data source integration.
Website, account management, and purchases
All connections to any of our services, our web portal, our account management system, and any purchases you make are encrypted by default using industry-standard cryptographic protocols (TLS 1.2+).
Any attempt to connect over an unencrypted channel (HTTP) is redirected to an encrypted channel (HTTPS).
Connections to customers’ data source APIs and systems as well as connections from Supermetrics to data destinations such as Google Sheets, Microsoft Excel, or data warehouses are SSL encrypted by default.
Where we need to connect to a customer’s own database, such connections are also strongly encrypted at the customer’s choice.
Data source permissions
Supermetrics requires customers to give access to read the data from data sources such as Facebook Ads and Google Ads APIs. Where possible, we will make use of OAuth access tokens. By this mechanism, the customer grants access to the data through the data source service and we receive a token by which we access and retrieve the data. You will have access to revoke the tokens both from Supermetrics login management as well as from the data source services themselves.
Supermetrics only ever requires the minimum amount of permission to read the data. We will only ever access your data on your instructions through our tools such as Supermetrics for Google Sheets or any automated scheduling that you have set up through Supermetrics. Where a data source gives us more than read-only access due to the nature of the data source, Supermetrics will never make use of those permissions.
We treat your tokens like passwords, they are strongly encrypted and never shared or logged.
Data destination permissions
Supermetrics will require various permissions based on the tools that you will use. For example, with Supermetrics for Google Sheets, we will need access to read and write to your spreadsheets. We request the least amount of permissions that we need in order to provide you the service. Should the default permissions granted be more than we need, we will never make use of those permissions.
In some cases, we provide multiple avenues to get data into your data destination. For example, we may provide tools to get data to your Google BigQuery where you will need to give us permissions to create schemas in your Google BigQuery database, however, you can also use our Google BigQuery Data Transfer Service Connectors where you do not need to give us such access at all. Please talk to our sales team about the best options for your organization and how we can help you.
We practice industry best practices including the use of hardened and customized server images, bastion hosts, different types of firewalls, and multi-factor authentication. As a “data privacy first” organization we follow regular standards on enforcement of least privilege, monitoring and reviewing our IAM (identity and access management) policies and security roles.
We conduct annual third-party security audits of our application and systems. The reports of these tests may be obtained from us under NDA.
Physical and environmental safeguards
Supermetrics uses leading cloud providers to process your data. Google Cloud Platform and Amazon Web Services are our providers of choice and both organizations have excellent compliance and regulatory audits including SOC 1/2-3, PCI-DSS, and ISO27001.
Documents on Google Cloud Platform and Amazon Web Services certifications can be obtained directly from Google and Amazon respectively.
Supermetrics requires that all employees comply with security policies designed to keep any and all customer information safe, and address multiple security compliance standards, rules and regulations. We ensure that all employees are immediately trained on our security policies and at the very least annually conducted thereafter.
Two-factor authentication, VPNs, and strong password controls are required for administrative access to systems. All such policies are reviewed on a regular basis. Supermetrics has various change management and peer review practices in place within our software development life cycle to ensure best practices are followed.
SOC2, GDPR, CCPA compliance, and data sovereignty
Supermetrics is compliant under both GDPR and CCPA. Your data is processed on AWS and GCP servers in the EU. Our sub-processors may transfer or process personal data outside the EU/EEA. When personal data is transferred or processed outside the EU/EEA, we ensure that the data is transferred by using the EU Commission’s Standard Contractual Clauses or by other appropriate safeguards as described in Article 46 of the GDPR. If you have further questions on data sovereignty, do not hesitate to contact us.
Supermetrics has been externally audited and is compliant with the SOC 2 Type II standards. Please contact email@example.com to get our SOC 2 Type II report under NDA.