Security
Last updated July 7, 2026
MetrikData processes merchant bank statements that contain sensitive financial data. This page describes the technical controls, infrastructure, and policies that protect it.
1. Encryption
All data in transit between your browser and MetrikData is encrypted with TLS 1.3. Data at rest, including uploaded PDFs, extracted transaction records, and generated reports, is encrypted with AES-256. Encryption keys are managed by our infrastructure provider and are not accessible to MetrikData application code.
2. Infrastructure
MetrikData runs on Supabase (database, authentication, and object storage) and Vercel (application hosting). Supabase has completed SOC 2 Type II certification. Both providers operate in US-based data centers managed by AWS. MetrikData does not operate its own physical infrastructure.
3. Data residency
All uploaded statements, extracted data, and generated reports are stored and processed in US-based data centers (AWS US-East). No customer data is transferred to or stored in data centers outside the United States.
4. Workspace isolation
Every customer workspace is logically isolated. Database access is enforced through row-level security (RLS) policies, so one organization cannot read, query, or export another organization’s data. Uploaded PDFs are stored in private, per-workspace storage buckets with access gated by authenticated workspace membership.
5. Authentication and access control
User authentication is handled by Supabase Auth with secure session tokens. Workspace owners control member access through role-based permissions. Administrative access to production systems is restricted to authorized personnel, requires multi-factor authentication, and is logged.
6. Statement data handling
Uploaded bank statements are used exclusively to generate your analysis. MetrikData does not use uploaded statements to train machine learning models. Individual owner names are excluded from generated reports. You can delete individual cases, merchants, or your entire workspace at any time. Deleted records are removed from active systems promptly and purged from backups on a rolling schedule.
7. Subprocessors
MetrikData relies on a limited set of subprocessors, each bound by contractual confidentiality and security obligations. The current list:
- Supabase — database, authentication, and object storage (US)
- Vercel — application hosting and edge network (US)
- OpenAI — transaction classification (US)
- Anthropic — transaction classification (US)
- Stripe — payment processing (US)
Subprocessor changes that materially affect data handling will be reflected on this page.
8. Incident response
MetrikData maintains an incident response process. In the event of a confirmed data breach affecting customer data, affected workspace owners will be notified within 72 hours of confirmation, with a description of the incident, the data involved, and remediation steps taken.
9. Compliance roadmap
MetrikData’s infrastructure providers (Supabase and Vercel) hold SOC 2 certifications. SOC 2 Type I certification for MetrikData is on our roadmap. This page will be updated as milestones are reached.
10. Contact
Security questions, vulnerability reports, or data processing inquiries: support@metrikdata.com.