How we protect your data

Customer data is stored in Upstash Redis, hosted in the United States (us-east-1 region). This includes account information, OAuth tokens, report data, and usage logs. No customer data is stored on your device beyond what is strictly necessary for authentication and preferences.

All OAuth access tokens and refresh tokens are encrypted at rest using AES-256-GCM before storage. All data in transit between your browser, our servers, and third-party integrations is encrypted using TLS 1.2 or higher. Passwords are never stored in plaintext.

Passwords are hashed using bcrypt with a cost factor of 12. User sessions are managed with signed JWT tokens stored in HttpOnly, Secure, SameSite=Lax cookies. Two-factor authentication (TOTP) is available and recommended — you can enable it from Settings > Security.

Metriqs runs on Vercel's serverless infrastructure, which provides automatic scaling, DDoS protection, and zero-downtime deployments. Background jobs run via Upstash QStash. All infrastructure providers operate under SOC 2 Type II compliance programmes.

If you delete your account, all personal data and reports are permanently removed within 30 days. OAuth tokens from connected integrations are revoked and deleted immediately when you disconnect those integrations. Billing records are retained for 7 years as required by law.

We conduct regular security reviews of our infrastructure and dependencies. Access to production systems is restricted to authorised personnel with audit logging enabled. We follow the principle of least privilege — we request only the minimum OAuth scopes required to generate your reports.

If you discover a security vulnerability in Metriqs, please report it responsibly by emailing security@trymetriqs.com. Include a description of the issue and steps to reproduce it. We will acknowledge your report within 2 business days and aim to resolve confirmed issues within 30 days.