Security

Last updated: June 2026

Metrdy is committed to the security of our platform and the protection of our customers' laboratory data. This page describes our security practices and how to report a vulnerability.

Our security practices

We take a layered approach to security across the Metrdy stack:

  • Encryption in transit and at rest. All connections use TLS 1.2+. Data is encrypted at rest using AES-256 on our database infrastructure (Supabase / AWS).
  • Role-based access control. Access to laboratory data is restricted by role (Lab Manager, Standard User, View-Only) and enforced at both the API and database layers via Row-Level Security.
  • Continuous security scanning. We run static application security testing (Semgrep, OWASP rule sets) and dependency vulnerability scanning (Dependabot) on every code change. Code scanning (GitHub CodeQL) runs on every push to our main branch.
  • No AI training on customer data. Customer laboratory data is never used to train AI models and is not shared with third parties for their commercial purposes. Our optional OCR feature processes images transiently and does not retain input data.
  • Data ownership. You own your data. Metrdy holds only a limited license to store and process it for service delivery. Full data export is available at any time on request.

For a full description of our security controls, see our Privacy Policy and Terms of Service. University or institutional customers may request our security documentation package (HECVAT, policies, and certifications) by contacting support@metrdy.com.

Vulnerability disclosure policy

We appreciate the work of security researchers in identifying vulnerabilities. If you believe you have found a security issue in Metrdy, please report it to us responsibly before public disclosure.

Scope. This policy covers:

  • The Metrdy web application at metrdy.com and its subdomains
  • The Metrdy mobile application (iOS and Android)
  • The Metrdy backend API

Out of scope: vulnerabilities in Supabase, Vercel, Render, or other third-party infrastructure. Please report those directly to the respective vendors.

How to report. Send a detailed report to support@metrdy.com with the subject line “Security Vulnerability Report.” Please include:

  • A clear description of the vulnerability and its potential impact
  • Step-by-step reproduction instructions
  • Any supporting evidence (screenshots, proof-of-concept, request/response examples)

Our commitments. We will:

  • Acknowledge receipt within 3 business days
  • Investigate and provide a status update within 10 business days
  • Notify you when the vulnerability has been remediated
  • Not pursue legal action against researchers who report in good faith under this policy
  • Credit reporters (with their permission) in release notes

Guidelines. Please do not access, modify, or delete data belonging to other users; do not perform denial-of-service attacks; and allow us 30 days to remediate before public disclosure.

Contact

For security vulnerability reports: support@metrdy.com — subject line “Security Vulnerability Report”

For compliance and institutional security documentation requests: support@metrdy.com — subject line “Compliance Inquiry”

Response time: within 3 business days.