How we protect your data

All communication between the AgentMetrics SDK, the API, and the dashboard uses TLS 1.2 or higher. Plaintext HTTP is not accepted. All HTTP requests are redirected to HTTPS.

Database storage is encrypted at rest. Backups are encrypted before being written to storage. Encryption keys are managed by the cloud provider's key management service and rotated on a scheduled basis.

AgentMetrics API keys are hashed using HMAC-SHA256 before being stored. We never store your API key in plaintext. If you lose your API key, it cannot be recovered. Rotate it from the Settings page, which immediately invalidates the old key.

Store your API key in environment variables, not in source code. Keys committed to repositories should be rotated immediately.

User passwords are hashed using a secure, salted algorithm via Supabase Auth. We do not store plaintext passwords at any point in the authentication flow.

OAuth logins (Google, GitHub) delegate authentication entirely to the provider. We receive only an identity token, not your password.

Session tokens are short-lived and stored in HTTP-only, Secure, SameSite=Lax cookies.

Payment card data is never processed or stored by AgentMetrics. All payment handling is delegated to Stripe, Inc., which is PCI DSS Level 1 certified. We store only a Stripe customer ID, the last four card digits, and your billing address for display purposes.

Production data access is restricted to a minimal set of employees who require it to operate the Service. Access is logged. No engineer has persistent, unsupervised access to your event data. Access requires multi-party authorization and is audited.

The AgentMetrics cloud is hosted on infrastructure operated by major cloud providers with SOC 2 Type II and ISO 27001 certifications. We use managed database and authentication services rather than running our own. This keeps our attack surface small and leverages providers who specialize in security operations.

If you discover a security vulnerability in AgentMetrics, please disclose it responsibly:

• Email support@agentmetrics.dev with subject line "Security vulnerability"
• Include a description of the issue, steps to reproduce, and the potential impact
• Do not publicly disclose the vulnerability until we have had an opportunity to investigate and release a fix
• Do not access or modify data belonging to other users

We will acknowledge your report within 48 hours and provide a timeline for resolution. We do not currently offer a bug bounty program, but we will credit researchers in our changelog where appropriate (with permission).

For security questions or vulnerability reports, email support@agentmetrics.dev.