Metakit
Get Started
Security

Guardrails built into every layer.

From signed renders to audit trails, Metakit ships with the controls you need to keep metadata trustworthy.

Contact security

Infrastructure

  • Edge rendering runs on Cloudflare Workers with regional isolation and automatic OS patching.
  • Primary data stores sit in encrypted PostgreSQL clusters with daily backups and point-in-time recovery.
  • Background crawlers operate from dedicated IP pools and respect robots.txt by default.

Application

  • Every render request requires HMAC SHA256 signatures with per-site secrets.
  • Role-based access controls gate overrides, template edits, and crawl scheduling.
  • Audit logs capture every metadata change, purge action, and API key rotation.

People & process

  • Hardware security keys (FIDO2) are required for employee access to production systems.
  • Quarterly incident response drills cover crawl abuse, key leaks, and dependency compromises.
  • Vendors undergo security reviews and DPAs before getting production data access.
Compliance roadmap

Where we stand today.

  • SOC 2 Type II audit in progress with Drata — report available under NDA.
  • HIPAA BAAs available for enterprise plans that need PHI-safe metadata tooling.
  • GDPR compliant data processing with EU-friendly hosting and deletion flows.
Vulnerability disclosure

How to report an issue.

  1. Email [email protected] with a description, reproduction steps, and impact.
  2. Encrypt sensitive payloads with our PGP key (published on the security page).
  3. We acknowledge within 24 hours and provide status updates until resolution.

We reward high-quality reports with swag and, in critical cases, bounties. See the full policy at security.metakit.dev.