Metabase is SOC 2 Type 1 Compliant

Update: Metabase is now SOC Type 2 compliant!

Metabase has always cared about data privacy.

When we originally designed Metabase, we took great care to never see anyone’s data. We took the same privacy-first approach when developing Metabase Cloud, and we’re now proud to say our efforts have been validated by third-party auditors.

Today we’re announcing that Metabase is now SOC 2 Type 1 compliant.

What is SOC 2?

SOC 2 (System and Organization Controls) compliance is an industry-standard way for companies to show that their controls and processes around access to systems and data follow a high standard. SOC 2 compliance requires independent verification by a Certified Public Accounting (CPA) firm. You can learn more about the standard in this comprehensive article.

What does it mean that Metabase is SOC 2 compliant?

• We’ve put into place a set of controls and processes to 1) protect your data and 2) maintain high availability.
• An external auditor has verified these controls and processes.
• We had a third-party pen test.

How can I see your auditors report?

• If you’re a customer, reach out to support to request it.
• If you’re a prospective customer in trials, your sales contact can provide our SOC 2 report under NDA.

What’s next?

Update: Metabase is now SOC Type 2 compliant!

The next step is to secure our SOC 2 Type 2 compliance. Type 1 is the first step: verifying that the controls are in place. Type 2 is to verify (again, by an independent audit) that we’re maintaining these controls over time.

Meanwhile, we’ll continue to improve the security of both our application, Metabase, and our hosting services, Metabase Cloud.