Transparency about security, privacy, and architecture. No marketing spin -- just the facts.
We try to collect only what the product needs to work. Here is what that looks like.
Defense-in-depth baked into the app, not bolted on.
Google OAuth 2.0, TOTP, WebAuthn/FIDO2 security keys, and passwordless email codes. Admins can enforce MFA team-wide.
Multi-tenant data model with enforced team scoping at the query, middleware, and route-binding layer. UUID primary keys throughout.
Integration credentials, SecureShare payloads, and API tokens are encrypted at rest with Laravel Crypt (AES-256-CBC).
Nonce-based CSP blocks inline scripts and unauthorized origins. No inline event handlers anywhere in the app.
Dedicated middleware scans incoming requests for common injection patterns before they reach controllers.
Tor / bad-IP blocker, GeoIP restrictions, per-endpoint rate limits, and blocked-country lists. Opt-in per team.
All scan targets, webhook URLs, and monitor endpoints are checked against private-IP, cloud-metadata, and Docker-hostname blocklists.
Every scanner tool runs in its own Docker sidecar container with its own filesystem, network, and resource limits. Each container runs as a dedicated non-root user — not root — and kernel capabilities are reduced to the minimum the tool actually needs. A compromised scanner stays confined to an unprivileged process with no path to the host or adjacent services.
Any superadmin action that bypasses team permissions is logged with user, path, method, and affected team.
Tied to your plan tier. Changes to retention limits apply to your account on the next billing cycle.
| Data type | Free | Pro | Business | Enterprise |
|---|---|---|---|---|
| Activity log | 30 days | 90 days | 365 days | Configurable |
| Cron job run history | 30 days | 90 days | 365 days | Unlimited |
| Scan results & findings | Retained while the owning team remains active. Deleted on team deletion or request. | |||
| Cloud metric snapshots | 7 days | 30 days | 90 days | 365 days |
| Backups | Rolling backups expire within 30 days of deletion. | |||
You can export your scan findings in 5 formats (PDF, JSON, CSV, SARIF, Markdown) from the app or REST API. Uptime reports and executive summaries are generated on-demand as PDF.
Team owners can delete a team from account settings, which cascades to scans, findings, integrations, and team members. We complete backup purges within 30 days. GDPR-aligned deletion requests are honored for data subjects located in jurisdictions that require it.
We use the smallest set of vendors needed to run the product. We do not sell data. We do not run ad networks.
Payment processing. Cards are tokenized by Stripe; we never store card numbers.
Optional single sign-on. We only receive the profile scopes you approve.
Offline IP geolocation for abuse monitoring and GeoIP blocking.
Optional IP reputation enrichment. Admin-toggled, off by default.
Free, read-only lookups for port and CVE context on IPs you scan.
Spamhaus, Barracuda, SpamCop, and others for IP reputation checks.
No ads. No tracking pixels. No selling of any kind.
We treat security reports as priority tickets. On confirmed incidents, affected teams receive a notice within 72 hours with the scope, cause, and remediation. A post-incident write-up follows when the fix has shipped.
If you believe you have found a security issue, please report it via your account's support channel or the address published in our security.txt. We do not operate a public bug bounty today.
SOC 2 Type I is on our roadmap. We align our controls with SOC 2, ISO 27001, and GDPR principles today, but we have not yet completed a formal audit. Enterprise customers can request the latest posture report.
Metric Tower is architected to be cloud-agnostic and is deployed via Docker Compose today. A Kubernetes deployment reference is on the roadmap. Enterprise teams can contact sales to discuss early-access self-hosted builds.
Our FAQ covers common security and privacy questions in more detail.