At m3ter we take our commitment to safeguarding the security of your data, and your end-customer's data, very seriously - as something vital to earning your trust as a valued customer. The m3ter platform has been designed, built, and operated from day one with this commitment clearly in mind at each step, and we offer industry-standard levels across all of the main aspects of data security, integrity, and protection:
We implement and maintain strict authentication and authorization flows available under the industry-standard OAuth 2.0 specification and SAML 2.0 specification to make secure any granting of access to the m3ter platform for two user types. For both user types, operational protocols are imposed to safeguard against access by rogue or malicious actors:
Authorization Code: Used for human user access login via the m3ter Console. Temporary passwords are valid only for initial login and unsuccessful login attempts are automatically restricted to 5 attempts before passwords are invalidated.
Single Sign-On. We support customers for implementing SSO in m3ter using external Identity Providers (IdPs) that conform to the Security Assertion Markup Specification 2.0 (SAML 2.0) standard. This ensures a single and secure point of identification is enforced on federated identities belonging to an external IdP when they log into and authenticate with the platform.
Client Credentials: Used for machine-to-machine communication and API access to support service users. Access keys and API secrets must first be generated and then used to obtain Bearer Tokens before access can be made and valid API calls submitted. All Bearer tokens are time-bound limited to 5 hours validity from time of issue before expiry.
For precision control of what users can do when granted access, we offer a robust and flexible permission policies model. The capability to create and customize their own permission policies for an Organization enables our customers to quickly set up and impose a fine-grained restriction on the range of data and resources individual users or user groups can work with. We recommend a prudent strategy of assigning "least privilege" for user permissions - limit a user's access to only those data and resources that a user requires to fulfill their role - and our permissions model fully supports this strategy.
All data transmitted to and from the m3ter platform is encrypted using the Transport Layer Security (TLS) protocol. All data is encrypted at rest using industry-standard algorithms. By default, no m3ter employees have direct access to any customer data. All data persisted in the service is backed up and able to be recovered in case of a disaster.
We run frequent 3rd-party penetration tests against the m3ter platform to identify any security issues. We run automated checks against the Common Vulnerabilities and Exposures (CVE) database to highlight any dependencies with known vulnerabilities.
We run an ethical bug bounty program via BugCrowd, and encourage any researchers who find issues to disclose them via that route.
From a deep sense of commitment to our customers over data security, privacy, and integrity, we've worked tirelessly to achieve SOC 1 and SOC 2 Type II certifications.
Since our customers use m3ter as an essential part of their operational billing infrastructure, we feel that achieving and maintaining these independently audited certifications is required to earn and retain our customer's trust, and that customer trust is something we value extremely highly. Customers can request copies of our SOC reports by contacting m3ter Support.
For more details, please see the SOC 1 & 2 blog post on our website.
m3ter engineers undertake Security Training and carry out development in line with industry-standard frameworks, including the Open Worldwide Application Security Project (OWASP). No code base changes are released to production without a review and approval from another engineer.
The m3ter service runs entirely in the public cloud, and we select providers who have high security and operational standards. We expect every provider to have an active SOC 2 Type II report, and these providers are regularly reviewed for continued compliance with our expectations.