Metabase security and disaster recovery plan

Get Help
1

Hello Team,

We(company) is looking to use Metabase self-hosted open source version in our project. Currently reviewing the metabase security standards , disaster recovery plan, etc before we make a final decision in the project. Could you please provide a link to -

  1. Metabase data center location
  2. Security/privacy certification status
  3. Names and links to 3rd parties/services that are used to support the metabase solution
  4. Data encryption standards used
  5. Vulnerability management policy and procedures
  6. Data breach policy related to customer data
  7. DR plan

It would be very helpful if all the above requested information are provided to leverage the best capabilities of metabase.

Thanks!

2

Hi @sramesh

If you are running self-hosted, then most of your questions has to be answered by you.

  1. You
  2. You
  3. We don't have a list, but working on a partner program. This forum has a Jobs section, which might be helpful.
  4. Mostly you, but https://www.metabase.com/docs/latest/operations-guide/encrypting-database-details-at-rest.html
  5. https://github.com/metabase/metabase/security
  6. You
  7. You
1 Like
3

Thanks for the quick response.
For the

  1. I am looking for Location of metabase maintained hardware/software locations( could be an on-perm data center location or cloud hosted )
  2. Does that mean metabase isn't compliant on example- ISO 27001 or other ISO security certifications, SOC2, FedRAMP, Cloud Security Alliance, HIPAA/HITRUST, CMMC, PCI-DSS, GDPR etc.security standards ?
  3. To reframe my question- how would metabase handle disaster recovery procedure?

Additionally if required to reach out to metabase support team for helping us resolve an issue, can you provide info of support personnel(team) who has access to our technical artifacts -

  1. Geographic location of support personnel
  2. Can they be limited to United States(our office location)?
  3. How does metabase screen their support personnel(contractors, FTE who help us in resolving the case)?
  4. Can personnel undergo a US federal government client required background investigation if required?
4

Hi @sramesh, as @flamber mentioned, if you will be using your own infrastructure to host Metabase, then all questions regarding location of datacenters, standards, etc, have to be answered by your hosting provider, not us, since we only provide an open source software that you run.

If you need answers about our hosting solution (Metabase Cloud) since you will use our Cloud to host your Metabase software or you're considering to purchase Metabase Enterprise, then please write an email to support. Thanks :slight_smile:

1 Like