Security

Last updated: July 3, 2026

Overview

Metiva is the system your business runs on, so protecting your data is core to the product, not an afterthought. We build security in by design: least-privilege access, encryption everywhere, strict tenant isolation, and continuous monitoring. This page summarises the measures we use; specific commitments for your organisation are set out in your agreement.

Hosting & Infrastructure

The Services run on reputable cloud infrastructure with data hosted in the European Union. Our primary datastore is a managed PostgreSQL database (Neon), and background processing runs on managed queues. Infrastructure access is restricted, and we prefer EU regions to keep personal data within the EEA wherever possible.

Encryption

Data is encrypted in transit using TLS, and encrypted at rest by our infrastructure providers. Sensitive secrets, such as third-party integration tokens and IP addresses used for attribution, are additionally encrypted at the application layer before storage, so they are protected even within our own database. Account passwords are never stored in plain text , only as salted bcrypt hashes.

Access Control & Authentication

Sign-in is handled by a centralized identity service with single sign-on across Metiva subdomains. Sessions are carried in signed, encrypted cookies, and access to the backend is authenticated with short-lived, signed tokens.

  • Role-based access control (RBAC) is enforced from day one, so users only see what their role allows;
  • Login is rate-limited across servers to defend against credential-stuffing and brute-force attempts;
  • Internal, server-to-server endpoints are protected by separate shared-secret guards;
  • Employee access to production is limited to what is needed and follows least-privilege principles.

Tenant Isolation

Metiva is multi-tenant with row-level isolation: every record is scoped to its organisation (and, for agencies, to the client brand), and every authorisation check is tenant-aware. This keeps one customer's data logically separated from another's throughout the platform.

Application Security

We follow secure development practices and defend against common web risks. Examples include server-side validation, protections against server-side request forgery (SSRF) on outbound integrations, throttling on sensitive endpoints, and careful handling of user-supplied content. We keep dependencies up to date and review security-sensitive changes.

Logging & Monitoring

We log application and security-relevant events to detect and investigate issues, support troubleshooting, and maintain an audit trail of sensitive actions. Logs are access-controlled and retained for a limited period. We monitor the health and availability of the Services.

Backups & Resilience

Our managed database provides automated backups and point-in-time recovery. We design the platform for resilience and test our ability to restore data, so we can recover from failures with minimal disruption.

Compliance

We process personal data in line with the GDPR and the Dutch AVG, as described in our Privacy Notice. Where we process personal data on your behalf, we do so under a Data Processing Agreement. We keep company-level (not person-level) de-anonymisation for EU traffic by default, and gate person-level identification on consent.

Responsible Disclosure

If you believe you have found a security vulnerability in Metiva, please tell us at security@metiva.io and give us a reasonable time to investigate and remediate before public disclosure. We appreciate responsible reports and will work with you in good faith. Please do not access or modify data that is not yours, or degrade the Services, while testing.