Get Started Free

Security at SegMetrics

Updated: May 26, 2026

SegMetrics is built to handle the data that marketing teams depend on — attribution paths, conversion records, customer journey data — and we take the responsibility that comes with that seriously. This page summarises the security program that protects Customer data, our application, and our operations.

The contractual version of these controls is set out in Annex IV of our Data Processing Agreement at segmetrics.io/dpa/. Operational status and incident history are at status.segmetrics.io.

1. Compliance and attestations

We rely on the attestations of our key infrastructure providers — the certifications each holds are listed alongside them in our subprocessor list at segmetrics.io/subprocessors/.

We respond to Customer security questionnaires and vendor risk reviews on request. To start a review, contact security@segmetrics.io.

2. Data protection

Encryption in transit

All external connections to the SegMetrics Platform and our Sites use TLS 1.2 or higher. We do not accept unencrypted HTTP connections to authenticated endpoints.

Encryption at rest

Customer data in our production databases and object storage is encrypted at rest using AES-256. Encryption keys are managed by our infrastructure providers and are kept separate from the data they protect.

Backups

Backups of Customer data are encrypted, run automatically on a daily schedule, and expire on a rolling 30-day basis. Section 14 of the DPA describes our backup and deletion timing in detail. We maintain documented Recovery Time and Recovery Point Objectives (RTO/RPO) and tested procedures for restoring service from backups.

Passwords

Account holder passwords are hashed with BCrypt before storage. Cleartext passwords are never stored and are not accessible to SegMetrics personnel.

Data location

Customer data is processed and stored in the United States. The specific regions used by each subprocessor are listed in our subprocessor table.

3. Access control

Internal access (SegMetrics personnel)

  • Production access requires single sign-on with multi-factor authentication. We do not maintain shared accounts.
  • Access follows least-privilege defaults; new roles receive only the permissions required for their function.
  • Access is reviewed periodically and revoked promptly on role change or termination.
  • Personnel with access to production systems undergo background checks where permitted by law.

SegMetrics personnel do not access Customer data routinely. We access Customer data only when necessary to deliver, support, or secure the Services, and only the minimum data needed.

Customer-facing access controls

The SegMetrics application provides Customer administrators with:

  • Role-based access control for team members within a Customer account
  • Audit logs of administrative and access events
  • API key rotation and scoping
  • Session timeout and forced re-authentication

4. Infrastructure and network security

The SegMetrics Platform is hosted in the United States. The application tier runs on DigitalOcean (NYC region). Object storage and the underlying managed database infrastructure run on AWS (Oregon, us-west-2). The analytics database is provided by SingleStore (Oregon, us-west-2). The complete list, with each provider’s certifications, is published at segmetrics.io/subprocessors/.

The application sits behind Cloudflare, which provides:

  • Edge-level web application firewall
  • DDoS protection
  • Rate limiting and bot mitigation
  • TLS termination for the public edge

Application and data tiers communicate over private networking. Production server images are hardened from baseline and patched on a regular cadence.

5. Application security

We follow a secure development lifecycle that includes:

  • Code review for changes to production systems
  • Automated dependency scanning to detect known vulnerabilities in third-party libraries
  • Application error and performance monitoring through Sentry, which surfaces unexpected behavior in production and feeds our incident detection process

The AI Insights feature uses OpenAI as a subprocessor and is opt-in per Customer account. Data sent to OpenAI is not used to train OpenAI models or improve OpenAI’s services. SegMetrics does not use Customer data, Site visitor data, or Account Holder data to train SegMetrics’ own AI or machine-learning models.

6. Operational security

Personnel

  • All SegMetrics personnel sign confidentiality and acceptable-use agreements at onboarding.
  • New personnel receive a security and privacy briefing on hire.
  • Background checks are conducted on personnel with production access where permitted by law.

Subprocessor management

Every subprocessor that processes Customer data undergoes a security and privacy review before engagement. We require subprocessors to enter into data protection agreements consistent with the obligations we make to Customers in our DPA. We monitor subprocessor certifications and security advisories on an ongoing basis. Updates to the subprocessor list are communicated in advance per Section 11 of the DPA.

7. Incident response and business continuity

Incident response

We maintain documented incident response procedures and 24/7 on-call coverage. At a high level, our response process is:

  1. Detect. Issues are surfaced through Sentry, infrastructure alerts, customer reports, or internal observation.
  2. Triage. The on-call engineer assigns a severity and escalates as needed.
  3. Coordinate. For severity-affecting incidents, an incident commander is appointed to coordinate response, communications, and remediation.
  4. Notify. Affected Customers are notified without undue delay, in accordance with Section 13 of the DPA and applicable law.
  5. Review. A post-incident review identifies root causes and follow-up actions.

Real-time service status, current incidents, and incident history are published at status.segmetrics.io. Customers can subscribe to status updates there to receive notifications of service disruptions.

Business continuity and disaster recovery

We maintain documented business continuity and disaster recovery procedures, including:

  • Defined Recovery Time and Recovery Point Objectives
  • Redundancy for critical infrastructure (database, object storage, application tier)
  • Automated, encrypted backups with documented restore procedures
  • Documented runbooks for major-incident scenarios

8. HIPAA

The Platform is not currently configured to receive, store, or process Protected Health Information (PHI). SegMetrics is not currently operating as a HIPAA Business Associate and does not have any active Business Associate Agreements (BAAs) in place.

If your intended use of the Platform involves PHI, contact us before transmitting any such information. We are willing to consider entering into a BAA on a case-by-case basis where appropriate; no Customer may transmit PHI through the Platform without a BAA executed in advance with SegMetrics.

9. Reporting a security issue

If you believe you’ve found a security issue in the SegMetrics Platform, our Sites, or our infrastructure, email security@segmetrics.io with details. Include reproduction steps where possible and let us know whether you’d like to be credited if we publish a fix.

We review every report we receive. We do not currently operate a formal bug bounty program or pay for vulnerability reports, but we appreciate responsible disclosure and will work in good faith with researchers to confirm and remediate confirmed issues.

To protect Customer data and service availability, please do not test for vulnerabilities in ways that could:

  • Affect Customer data or accounts that aren’t your own
  • Degrade availability of the Platform or our Sites
  • Violate applicable law

Out of scope for this intake: physical attacks against SegMetrics or its personnel, social engineering of SegMetrics personnel or Customers, automated scanning that generates significant traffic, and testing against Customer-owned data or accounts.

10. Requesting security documentation

Customers and prospective Customers can request the following under NDA:

  • Vendor security questionnaire responses
  • Other available security documentation as relevant to a specific review

The following are publicly available without NDA:

To request documentation, email security@segmetrics.io with your company name and the specific items needed.

11. Contact

  • Security issues and questionnaires: security@segmetrics.io
  • Privacy questions and data subject requests: privacy@segmetrics.io
  • General support: support@segmetrics.io

SegMetrics, Inc.