Security

Last updated 2026-04-16. How we protect credentials, traffic, and customer data.

Encryption

In transit

TLS 1.3 everywhere. HSTS preloaded. No TLS below 1.2 allowed. Cipher suites restricted to modern AEAD.

At rest

AES-256-GCM on Postgres and object storage. Disks on Fly.io and Supabase are encrypted by default.

Key management

Customer upstream credentials are encrypted with per-customer envelope keys. The envelope key is wrapped by a master KMS key (AWS KMS).
Master key rotation every 90 days. Envelope keys rotate on access after 180 days.
Access to decrypted creds is scoped to the gateway runtime only, in-memory, never logged.
Staff cannot read customer upstream credentials. Break-glass access requires two-person approval and produces an audit record.

Access controls

SSO: SAML + OIDC available on Growth tier and up.
SCIM: Enterprise tier — user provisioning and deprovisioning from your IdP.
MFA: TOTP or WebAuthn on all accounts. Mandatory for staff.
Audit logs: dashboard MVP shipping Q2 2026; API-accessible audit export Q3 2026.
Role-based permissions: owner / admin / billing / developer / read-only.

Vulnerability disclosure

If you find a security bug, report it to security@metercall.ai. PGP key available on request. We acknowledge within 24 hours and triage within 3 business days. Safe-harbor for good-faith research.

Bug bounty

Rewards scale with severity. Pre-launch bounty runs on a private invite basis; expanding to public on HackerOne in Q3 2026.

Severity	Range	Example
Critical	$2,500 – $5,000	Auth bypass, customer credential exposure, full RCE
High	$750 – $2,500	Priv-esc, IDOR exposing another customer's data
Medium	$250 – $750	Stored XSS, SSRF without cred exposure
Low	$100 – $250	Reflected XSS on unauth surface, CSRF on low-risk action

In scope: *.metercall.ai, our Fly.io gateway, the iOS/Android agent apps when they ship.

Out of scope: rate-limit bypass on unauth endpoints, missing security headers without exploit path, clickjacking on static pages, third-party vendor issues (report directly to them), social engineering, physical attacks, DoS.

Penetration testing

Annual third-party pen test. Next test: Q2 2026 (NCC Group, pending). Executive summary available to Enterprise customers under NDA.

SOC 2

SOC 2 Type II audit in progress — observation period started Q1 2026, report expected Q3 2026 (Prescient Assurance). We'll post the Type I letter when it drops.

Incident response

On-call rotation 24/7. Customer notification within 72 hours of confirmed breach affecting your data, with preliminary details and a commitment to a fuller RCA within 14 days. Status page at status.metercall.ai.

Secure development

Code review required on every merge.
Dependency scanning (Dependabot + Snyk) blocks known-high on main.
Secrets scanning pre-commit and in CI.
Staging environment mirrors prod topology; no production data in staging.

Last updated 2026-04-16. Questions → /contact.html