Security is core to who we are

Data Security

All storage of user data is encrypted at rest with strong encryption keys following industry best practices. Matik does not store the content of customer’s data sources; but instead only the minimum credentials required to access the data. In the event a customer’s credentials are compromised, it is their responsibility to revoke access of the credentials in the Matik app and refresh them with new ones. Additionally, the credentials are encrypted and not viewable by Matik employees or customers once they are saved.

Matik uses Amazon Simple Storage Service (S3) and Relational Database Service (RDS) to store user data including user profiles, data credentials, and content generated from customer data. Both the databases in RDS and buckets in S3 have strong access controls set and are encrypted at rest using the industry-standard AES-256.

Security Incident Detection and Management

Matik takes industry-standard steps to prevent unauthorized access to cloud assets (hosted by AWS) and log key events in that system. Matik uses the Amazon Web Application Firewall (WAF) to protect against unauthorized access to our web application servers, as well as Amazon CloudTrail to record key events to our systems, such as: logins, changes to security lists, and access to protected assets such as databases or S3 buckets. These systems are connected to an alerting system, which alert Matik’s security team in the event of anomalous activities. In the unlikely event of a data breach, Matik will notify all affected customers no later than 72 hours after discovery.

Security Certifications

SOC 2 Certified

Matik has received both its SOC 2 Type I and Type II certification.

GDPR Compliant

We have made significant efforts to ensure Matik is in compliance with the EU's General Data Protection Regulation (GDPR).

Data Backups

Customer data is backed up with a regular cadence using Amazon Relational Database Service (RDS). Following Amazon best practices, Matik creates a full daily snapshot of the database as well as recording transaction logs so that the database can be restored to any time in the past. Each snapshot is saved for 30 days.

Backups are not publicly accessible and are accessible only by Matik technical employees who require access as part of their role. All accesses to backups are logged per customer and are available upon request. Additionally, backups are encrypted at rest, so in the unlikely event an attacker gains access, the content remain inaccessible.

Data Access Management

Matik ensures that all employee accounts with access to sensitive assets are created following Matik’s user account policy:

1. All accounts are associated with a single user
   
2. Matik uses a Role-Based Access Policy (RBAC) to ensure that users have access only to what is needed
   
3. Account access will be removed for Matik employees no longer with the company or whose role no longer requires access to a given set of assets
   
4. Account access will be regularly audited to ensure that only the necessary users have access to a given set of assets
   
5. All accounts follow a strong password policy and use non-SMS two factor authentication
   
6. Users will be locked out after a definite number of incorrect login attempts
   
7. Requests for access are logged
   

Physical and Office Security

Matik ensures that the office is inaccessible by non-employees. Matik also ensures that all the computers used for work will have full disk encryption, strong user passwords, and anti-virus programs installed.

Mobile devices used for work have at minimum a 6 number passcode and optionally biometric security as well as full disk encryption. Additionally, all employees are strongly encouraged to use a password manager that generates long, strong, and unique passwords for each service.

Change Management

Matik ensures that unauthorized users will not be able to change the code of the product and that all changes to the production code are logged and monitored.

Access to Matik’s code repository is controlled via an RBAC and push to production access is restricted to a small subset of the organization. Two factor authentication is required for access to the code base. Sensitive data including user data and access tokens will never be added to the code repository.