Worry-free
ESG reporting

We’ve put in place the systems, people and processes to keep your data secure—so you can focus on putting your data to work for you.
Book a demo

Multiple levels of protection

At Metrio, we use a host of security measures to safeguard your data. From secure infrastructure and data encryption to regular vulnerability management and employee training, we’ve got you covered.

Soundly managed physical infrastructure

Using tools from providers with strong sustainability and security practices matters to us. That’s why we host our application on Google Cloud, which is known for its local data centres, secure facilities and sustainable servers.
Nous avons

Where we store data

Our application is hosted on northamerica-northeast1, a secure Google Cloud data centre located in Montreal, Canada. We can also deploy your data to regions in the US and Europe.

How Google Cloud tackles security

Google Cloud has put in place a host of security measures to keep its data centres safe, including:

  • Custom servers with built-in redundancy and automatic backups
  • Robust disaster recovery and prevention measures in the event of a fire, power failure or other disruption
  • Secure physical locations with perimeter defense systems and a 24/7 security team
  • An enterprise risk management program for risk assessment and mitigation
  • Local and regional security operations centres for monitoring and year-round testing

Why we rely on sustainably managed data centres

To reduce security risks and increase our application's performance, we use tools from providers with sound sustainability practices. Google Cloud’s hyper-efficient data centres use half as much energy as other infrastructure and boast:

  • 0 net carbon emissions
  • 11% overhead energy
  • a 1.1 power usage effectiveness score

Strict data management policies and practices

From data encryption to limited access and processing, we have the processes in place to make sure only the right people can access your data.

How we encrypt data

All communications between your web browser and our software and between our application’s front end, back end and database are encrypted using a transport layer security (TLS) protocol. By default, Google Cloud encrypts all data at rest.

How we handle personal data

Our application doesn’t transmit, process or store any personally identifiable information (PII) other than users’ work email addresses. We use email addresses only to grant application access to authorized employees and delete them when the account is closed.

To find out how we handle data through our public website, read our Cookie and Privacy Policy.

Who can access your data and how

Our employees can access your data only on a need-to-know basis, after signing a non-disclosure agreement. They systematically lose access to it if they leave the company.

To provide our software as a service, we don’t need to physically access any secure IT facilities or environments or access your networks, systems or applications remotely.

Users you’ve approved can access our cloud-based application through a web browser.

How you can request a copy of your account data

While you’re subscribed to our services, you can export all of your data at any time, free of charge, directly from our application.If you don’t renew your subscription:

  • You can request that we send you a copy of all your data. We must receive your request at the latest one month after the end of your contract. We’ll send you the data within 48 business hours.
  • We’ll delete all your original data and email exchanges either immediately after we’ve sent you a copy of your data or one month after the end of your contract, whichever comes first.

Ongoing training, certifications and compliance

Our certified IT specialists make sure we follow best practices and carry out company-wide preventive training.

How our security team stays up-to-date

To keep up with new security best practices, our dedicated IT security team follows regular training to receive mandatory continuing professional education (CPE) credits and renew their certifications. Their credentials include:

How we’re working toward compliance

We’re certified STAR Level 1 through the Cloud Security Alliance, which means that we follow security best practices and submit security and privacy self-assessments.

We’ve put in place a thorough implementation strategy to comply with SOC 2 type 2 requirements by the end of 2022.

How we train our team

Our staff follows mandatory security training every three months and receives ongoing phishing simulations. New hires also receive security training during their first week.

Continuous monitoring and testing

With regular code analysis and vulnerability management, we prioritize security from the very beginning of our software development lifecycle (SDLC).

How we keep our source code clean

We use Dependabot and Snyk as software composition analysis (SCA) tools to monitor updates and security patches for the third-party libraries used by our software. We update the libraries whenever they detect a vulnerability.

We also use Snyk as our static code analysis tool (SAST). Snyk is integrated with our continuous integration and deployment (CI/CD) pipelines. It scans every pull request (PR) and fails the build if it identifies a vulnerability.

We use both tools to analyze changes to the code.

How we manage vulnerabilities

We’ve put in place a strict vulnerability testing process, which involves:

  • Testing our applications and servers for security vulnerabilities before promoting them from testing to quality assurance and from quality assurance to production
  • Scanning our servers for vulnerabilities on a monthly basis and applying security patches accordingly
  • Carrying out penetration testing on our software on a quarterly basis or upon request Hiring an external testing provider once a year
  • We can mitigate most application vulnerabilities without shutting down the production server, which we do only as a last resort.

Think you’ve found a vulnerability? Write to us.

Want to know more?

We’d be happy to show you how our platform works.