Security Policy

1. Introduction

This Security Policy governs the processing of data provided by a subscriber under their user licence agreement (“Agreement”) or through use of Metrix services. By using our services or our website, or by signing an Agreement with Metrix, you accept this policy. If you do not agree, do not use our sites or software.

2. Data safety

Security is built into every layer of the Metrix software. You get the security advantages of running on a globally hosted, enterprise-grade cloud platform combined with controls Metrix maintains directly — customer-facing access controls, hardened infrastructure, and continuous monitoring.

This policy outlines how we secure your information within the Metrix software.

For operational security reasons, we don’t publish the exact set of services, features, and data centres we use. The summary below explains the controls in place.

3. Data centre security

The Metrix data infrastructure is hosted on a major cloud platform with independent third-party assurance reports, certifications, and ongoing audits covering data-centre security.

The cloud provider is selected for its track record in designing, building, and operating large-scale data centres at enterprise standards. The exact physical location of the data centre that stores Metrix data is not disclosed publicly.

Data centres are protected by layered physical controls designed to prevent unauthorised access.

4. Infrastructure security

Metrix infrastructure runs in a fully redundant, secure VPN environment, with access restricted to authorised operations support staff. This gives us full firewall protection, private IP addressing, and platform-grade security features.

The system on which Metrix runs sits behind a firewall. Only the necessary ports are open to the outside network. Authorised personnel access the system over a VPN connection using SSH keys.

5. Application security

We use the same class of encryption as banks and financial institutions. Data in transit is protected with strong industry-standard cryptographic algorithms.

Your organisation-specific data inside the Metrix software is logically separated at the data tier, based on the application-level access permissions and roles you configure for your account.

All Metrix data is encrypted at rest. At-rest encryption means our databases, files, and other storage have their contents encrypted when backed up or sitting idle. A backup obtained without the corresponding key is unreadable.

6. Operational security

The system is monitored continuously, with real-time alerting so we can respond if a potential issue arises. All actions taken on production consoles are logged.

We monitor security, performance, and availability 24/7/365. Automated security testing runs on an ongoing basis. We prioritise, resolve, and deploy fixes for discovered security issues quickly. Continuous delivery and deployment practice lets us update the platform daily and address issues as soon as they’re identified.

7. ISO/IEC 27001:2013

The most rigorous global security standard for an Information Security Management System (ISMS) is ISO/IEC 27001. We track our controls against this standard.

8. Email & document sharing

Email is a ubiquitous but high-risk communication method, vulnerable to interception and tampering. Don’t send highly confidential, private, or security-related information or documents by email.

9. Data encryption

Each Metrix application is accessed over HTTPS using Transport Layer Security (TLS). TLS protects information in transit against eavesdropping, tampering, and message forgery. Once data reaches Metrix, it’s encrypted at rest.

10. Service availability

Metrix is designed to be a highly available service. Production data is replicated across multiple data centres in Australia. If one data centre goes offline, the secondary continues to serve data with minimal — if any — service interruption. Metrix is not responsible for delays caused by upstream provider availability.

11. System monitoring

The Metrix software is monitored 24 hours a day, 7 days a week, 365 days a year.

12. Data breach notification

Metrix will notify the subscriber without undue delay and in writing on becoming aware of any data breach involving the customer’s data. If you identify a vulnerability or notice data that appears to be available publicly outside the Metrix software, contact us immediately at hello@metrix.com.au.

13. Useful resources

This Security Policy is subject to change and is published on our website. The version date at the top of this page reflects the last update.