Last updated: Aug 24, 2019
MetaCert is committed to providing a highly secure and reliable integration service. This includes maintaining the confidentiality of its customers' information and ensuring that customers' information will be available when it is needed. To achieve this we use proven, tested, best-in-class security tools, technologies, practices and procedures.
MetaCert uses PCI Compliant Level 1 audited payment processor Stripe for processing credit card payments for the MetaCert services.
MetaCert is hosted on public cloud infrastructure from Amazon Web Services (AWS) and Google Cloud Platform . Both Amazon and Google servers and databases run on servers in secure data centers and have a broad set of certifications.
You can read further about AWS and Google security and certifications here:
aws.amazon.com/security/
cloud.google.com/security/
All information is encrypted in transit and at rest.
MetaCert services are accessible only over HTTPS. Traffic over HTTPS is encrypted and is protected from interception by unauthorized third parties. MetaCert follows current best practices for security, including the use of strong encryption algorithms with a key length of at least 128 bits.
For on-premise systems, access requires the installation of a on premises agent behind the firewall. All communication between MetaCert and the on premises agent is over an encrypted link (TLS 1.2).
Administrative access to MetaCert servers is over VPN protocol. Administrative access is granted only to select employees of MetaCert, based on role and business need. Multi-factor authentication is required for access.
MetaCert uses a multi-tier architecture that segregates internal application systems from the public Internet. All network access, both within the datacenter and between the datacenter and outside services, is restricted by firewall and routing rules. Network access is recorded into a centralized secure logging system.
Application access to databases used in the MetaCert service is over an encrypted link (TLS).
MetaCert has a comprehensive software development lifecycle process that incorporates the Security STRIDE model as well as design and code reviews, unit and integration testing.
All applications are regularly scanned for common security vulnerabilities including the OWASP Top Ten.
Regular training on Secure Coding Practices is provided. All engineers must attend training sessions.
Regular security tests are conducted, including the use of scanning and fuzzing tools to check for vulnerabilities. MetaCert also undergoes periodic penetration testing by a qualified 3rd-party firm.
MetaCert has a privacy policy, which details the steps we take to protect clients’ information. You can view the privacy policy here: https://metacert.com/privacy-policy.html.
Clients login to MetaCert using a password which is known only to them. Password length and complexity standards are enforced. Passwords are not stored; instead, as is standard practice, only a secure hash of the password is stored in the database. Because the hash is relatively expensive to compute, and because a “salting” method is used, brute-force guessing attempts are relatively ineffective, and password reverse-engineering is difficult even if the hash value were to be obtained by a malicious party.
MetaCert supports automatic session logout after a period of time. Enterprises can set the appropriate timeout period according to their security needs.
When MetaCert recipes connect to remote systems using user-supplied credentials, where possible this is done using OAuth2, and in those cases, no credentials need to be stored in the MetaCert system. However, if a remote system requires credentials to be stored, they are encrypted using a 256-bit key.
Connections to remote systems are done only over secure (HTTPS) connections.
MetaCert also supports integration with Single Sign-on Systems using SAML. Customers can use SSO for authentication into MetaCert as well as application connections for recipes. These systems can be configured to require Multi-factor Authentication as well as other security features.
MetaCert stores transaction related data only to enable customers to have better insight and control over their transactions and in cases where transactions take a long time to finish. Specifically, MetaCert stores transaction data to support transaction logging, testing and debugging, re-running transactions, and in support of long running transactions. All transaction data is always encrypted in transit and when stored in MetaCert's platform. MetaCert stores transaction data on the AWS.
Customers have control over the retention period of the transaction data. In addition MetaCert provides the ability to mask out sensitive data in the transaction logs for additional security.
MetaCert ensures continuous availability of its service and protects against the risk of disruptions by implementing a Business Continuity and Disaster Recovery program. This includes continuous backup to a standby database.
All employees are subject to background checks that cover education, employment and criminal history. Employment at MetaCert requires written acknowledgement by employees of their roles and responsibilities with respect to protecting user data and privacy.
MetaCert maintains an information security training program.
Knowledgeable full-time security personnel are on staff.
While we don't anticipate there ever being a breach of our systems, we know that no computer system is perfectly secure.
In the event of a breach of a MetaCert information system, we have a detailed Incident Response Plan in place, and there is periodic testing of the response plan.
MetaCert has 24x7 monitoring of the security status of its systems and automated alerts for security and performance issues.