Security
Last updated: June 29, 2026
This page summarizes the security practices we use to help protect Metric Flow IQ and customer data. It is provided for transparency and procurement review.
This overview is for transparency and informational purposes only. It is not a security certification, audit report, or legal/compliance opinion.
1. Overview
- Security is designed into core flows: authentication, role-aware access, and tenant separation.
- We aim to reduce risk through least-privilege access and defense-in-depth controls.
- Security-sensitive operations are designed to be auditable by authorized administrators.
- We continuously improve safeguards based on operational learnings, product changes, and risk assessment.
2. Data protection
- Encryption in transit: HTTPS/TLS is used for web traffic and API requests.
- Encryption at rest: Customer data is stored on managed cloud infrastructure with encryption at rest.
- Application-layer encryption: selected sensitive CRM fields and private file uploads are encrypted by the application before they are stored.
- Search-safe metadata: where exact-match lookup is needed, we use limited lookup metadata rather than displaying sensitive values directly in query surfaces.
- Backups and resilience: We rely on managed platform features and operational safeguards to support availability and recovery.
- Public assets: customer-provided branding assets, such as tenant logos, may be publicly accessible when they are used to display public or shared product branding.
3. Access controls
- Authentication: user sign-in is required to access the application.
- Authorization: access to data and operations is controlled by roles and permissions.
- Tenant boundaries: data access is scoped by tenant to reduce cross-organization exposure.
- Session controls: the application supports inactivity timeout and remote sign-out controls for account protection.
- Multi-factor protection: where enabled, authenticator-based two-factor protection and recovery flows help reduce account takeover risk.
- Auditability: key administrative and security actions are designed to be reviewable by authorized personnel.
4. Infrastructure and service providers
Metric Flow IQ uses managed cloud and infrastructure services to operate the Service. Depending on the customer environment and enabled features, this may include Firebase/Google Cloud services, Microsoft Azure services, Microsoft identity or email infrastructure, and other providers listed on our Subprocessors page.
We do not publish internal storage paths, secret names, or infrastructure identifiers on this public page.
5. Monitoring and abuse prevention
We monitor for reliability and security issues. Depending on configuration, this may include error/performance monitoring, app integrity checks, and anti-abuse protections on public forms.
For details on optional monitoring and storage technologies, see our Privacy Policy.
6. Incident response
- We triage and investigate suspected security incidents.
- We take reasonable steps to contain impact and remediate root causes.
- When appropriate, we notify affected customers consistent with applicable obligations and contracts.
7. Subprocessors
We use trusted third-party providers to help operate the Service. For an enterprise-friendly list, see our Subprocessors page.
Contact
Security questions? Email Support@metricflowiq.com.