Metapack security

Learn about Metapack security policies and standards.

Information security

The Metapack Information Security Management System (ISMS) consists of internal security policies that are aligned to the ISO 27001 framework and cover the following:

  • Asset management
  • Risk management
  • Third-party suppliers
  • Customer data protection
  • Physical and environmental management
  • Software management
  • Network security
  • Operational security
  • Personnel security
  • Disaster recovery

In addition, Metapack conducts internal security audits at least once per year. The Metapack security team shares the results of these audits with senior management and tracks all findings to resolution.

Data protection

Metapack security policies are designed to prevent unauthorised access to customer data and preserve its integrity. Metapack is a data controller for information about its employees and a data processor for all services that it offers to customers. Metapack customers are either data controllers or data processors. Carriers integrated with the Metapack Platform are data processors in their own right for shippers.

Platform security

The Metapack Platform uses the compute and security services of Amazon Web Services (AWS) to create and deploy Metapack products.

Security standards and compliance

AWS supports many security standards and compliance certifications, including PCI-DSS, HIPAA/HITECH, FedRAMP, GDPR, FIPS 140-2, and NIST 800-17. This enables the Metapack Platform to satisfy compliance requirements for virtually every regulatory agency across the world.

Cloud security

The Metapack Platform makes full use of AWS Cloud Security.

Network protection

All Metapack traffic is passed through a third-party cloud service that provides distributed denial of service (DDoS) protection, a dynamic web application firewall (WAF), and a protected DNS at its network perimeter.

Workload protection

The workload of the Metapack Platform uses Amazon GuardDuty as its intrusion detection system (IDS). It continuously monitors for malicious or unauthorised behaviour. It also monitors for activity that indicates a possible compromise or potential intrusion, such as unusual API calls or potentially unauthorised deployments.

Security groups

To maintain the integrity and confidentiality of each customer’s data held in the Metapack Platform, customer-based security groups are applied to data held in each database table relating to that customer.

Penetration testing

Metapack engages with independent specialists to conduct regular application-level and infrastructure-level penetration tests. The Metapack security team shares the results of these tests with Metapack senior management and tracks all findings to resolution.

Logging

Logs from all Metapack Platform components are harvested into a centralised logging repository, so all API and web transactions can be traced all the way through the platform, which aids quick problem diagnosis and recovery. For security reasons, passwords and personal data are not recorded in logs, and all logs are protected from modification.

API security

All Metapack APIs use HTTPS and TLS authentication 1.2.