Security — Marketing Copilot

Security is a first-class concern in how we build Marketing Copilot. This page summarizes the controls we have in place. It is not exhaustive — for a deeper review, including SOC 2 readiness and our questionnaire responses, contact your account manager or support@metty.ai.

1. Data protection

Encryption in transit

All traffic between your browser and the Service is encrypted using TLS 1.2 or higher. We use HSTS to prevent protocol downgrade attacks. Internal service-to-service traffic is also TLS-encrypted.

Encryption at rest

OAuth access tokens, refresh tokens, and API keys for connected platforms are encrypted at the application layer with AES-256-GCM before being written to the database. Database storage volumes are additionally encrypted at rest by our cloud provider.

Read-only access by design

We request the minimum OAuth scopes required to read performance data from connected platforms. We do not request scopes that would allow us to modify campaigns, post on your behalf, or perform other write actions.

2. Access control

Production access is restricted to a small number of named engineers. Access is granted on a least-privilege basis, requires multi-factor authentication, and is logged.
Customer environment isolation: all data is scoped by organization in our database; queries enforce organization-level filters at the application layer. Row-level security policies provide an additional defense in depth.
Authentication: the Service uses a hardened third-party authentication provider that supports passwordless login and SSO/SAML on eligible plans.
Customer-side roles: within your organization, roles (Owner, Admin, Member, Viewer) restrict who can connect accounts, view billing, and manage members.

3. Application security

Input validation: all API requests are validated against typed schemas at the boundary.
SQL safety: the AI agent's data-access tool is restricted to read-only SQL. Mutating statements are rejected before execution. Queries are scoped by tenant identifier server-side, not by client.
Dependency management: dependencies are pinned and scanned continuously for known vulnerabilities. Security patches are applied in line with severity.
Secret management: application secrets are stored in a managed secret store and rotated on a schedule.

4. Infrastructure

We host on reputable cloud providers with mature security programs (Vercel for the web frontend, Render for the backend API, Supabase / managed Postgres for the database).
Network access to non-public services is restricted to the minimum required.
Backups run continuously with point-in-time recovery; restore procedures are tested regularly.

5. AI governance

No model training on your data. Customer Data sent to AI subprocessors is processed under contractual terms that prohibit training on inputs and outputs.
Cited outputs. The AI agent is instructed and designed to base every numeric claim on a verifiable query against your warehouse, with the underlying query exposed for inspection.
Prompt-injection mitigations. System prompts and tool outputs are constructed to limit the impact of adversarial input from third-party data sources.

6. Logging and monitoring

We log security-relevant events including authentication, account and configuration changes, and admin actions. Logs are aggregated in a centralized system and retained for at least 90 days. We monitor for anomalies and have on-call rotations for production incidents.

7. Incident response

We maintain an incident-response plan that defines roles, escalation paths, communication templates, and post-incident review. In the event of a security incident affecting your data, we will notify you and applicable regulators in accordance with law and our contract, typically within 72 hours of confirmed breach.

8. Vulnerability disclosure

We welcome responsible disclosure from security researchers. To report a vulnerability, write to support@metty.ai. Please include enough detail to reproduce the issue. We commit to:

Acknowledging your report within 3 business days;
Providing an initial assessment within 10 business days;
Working with you in good faith to resolve the issue and, where appropriate, publicly crediting your contribution.

We do not currently operate a paid bug-bounty program. Acting in good faith and in accordance with this policy will not result in legal action from us. Avoid privacy violations, data destruction, denial of service, and any action that could harm users or our Service.

9. Compliance roadmap

The following compliance milestones are on our roadmap:

SOC 2 Type II — in progress, target completion Q4 2026.
ISO/IEC 27001 — under evaluation.
GDPR & UK GDPR — operational; DPA available on request.
India DPDPA, 2023 — operational; grievance officer designated.

We are happy to walk enterprise prospects through our security questionnaire and architecture under NDA. Contact support@metty.ai.

10. Customer-side recommendations

Even strong platform security depends on good user practices. We recommend:

Enabling SSO and MFA for all members of your workspace;
Reviewing connected platforms periodically and disconnecting any that are no longer needed;
Granting access only to users who need it, and using the Viewer role where possible;
Keeping your contact email on the account up to date so security notices reach you.

Security Overview