Content Metric
FeaturesPricingFAQTrust
Get Started

Security & Trust

Content Metric is built with a security-first architecture aligned to ISO 27001:2022. Every layer of the platform — from Kubernetes pod isolation to hash-chained audit logs — is designed to keep your data safe.

View our practices

Compliance Frameworks

Where we stand on industry security standards

ISO 27001:2022

Certification In Progress

81 of 93 Annex A controls are implemented across organizational, people, physical, and technology domains. Formal certification audit is scheduled.

SOC 2 Type II

In Preparation

We are preparing for SOC 2 Type II audit covering security, availability, and confidentiality trust service criteria.

GDPR

Compliant

We process data in accordance with GDPR requirements including data minimization, portability, right to deletion, and privacy impact assessments.

Security Practices

Controls we have implemented across the platform

Tenant Isolation

Every project runs in its own Kubernetes pod with a dedicated database, isolated filesystem, and independent process. Network policies enforce zero cross-tenant communication.

Role-Based Access

Platform admin access is controlled through database-backed RBAC with a 5-level role hierarchy enforcing least-privilege access. Periodic access reviews flag inactive accounts.

Tamper-Proof Audit Logs

All admin and project actions are recorded in a hash-chained audit trail. Each entry includes a SHA-256 hash of the previous entry for tamper detection. Database triggers prevent modification or deletion.

Session Security

30-minute idle timeout with automatic session expiry and redirect to sign-in. Sessions are validated server-side on every request to prevent stale access.

Encryption Everywhere

All data is encrypted with TLS 1.3 in transit — including internal database connections. Credentials and secrets are stored encrypted and redacted from all logs.

Multi-Factor Authentication

MFA is enforced for all privileged admin roles (superadmin and platform). Accounts without MFA enabled are blocked from accessing admin functions.

OAuth with PKCE

Single sign-on via Google OAuth with Clerk-managed identity. Authentication uses the PKCE flow to prevent authorization code interception attacks.

Network Policies

Kubernetes network policies enforce default-deny rules across all namespaces. Only explicitly allowed traffic flows between services, preventing lateral movement.

Automated Security Scanning

Every deployment runs through SAST analysis (Semgrep), container image scanning (Trivy), and dependency vulnerability checks. Critical findings block deployment.

Automated Backups

Daily automated PostgreSQL backups with 30-day retention. Restore procedures are documented and tested to ensure business continuity.

Hardened Containers

All containers run as non-root users with read-only filesystems, dropped Linux capabilities, and seccomp profiles. Pod Security Standards are enforced at the namespace level.

Distributed Rate Limiting

Redis-backed rate limiting across all application replicas prevents brute-force attacks and abuse on authentication and API endpoints.

Infrastructure Security

Our Kubernetes infrastructure is hardened at every layer — from network policies enforcing zero-trust communication to non-root containers with read-only filesystems and dropped capabilities.

Every deployment goes through automated security scanning including SAST analysis, container image vulnerability scanning, and dependency auditing before reaching production.

  • HSTS enforcement with long max-age
  • Hardened Content Security Policy (no unsafe-eval)
  • X-Frame-Options and base-uri restrictions
  • Permissions Policy restricting browser features
  • Redis-backed distributed rate limiting
  • Kubernetes network policies (default-deny)
  • Pod Security Standards (baseline enforce, restricted warn)
  • Non-root containers with read-only filesystems
  • Dropped Linux capabilities and seccomp profiles
  • Automated TLS certificates (cert-manager + Let's Encrypt)
  • PostgreSQL TLS for internal database connections
  • Container image scanning (Trivy) in CI/CD
  • SAST scanning (Semgrep) on every commit
  • Automated dependency vulnerability scanning
  • Daily automated database backups with 30-day retention
  • Horizontal Pod Autoscaler for availability

Security Policies & Documentation

We maintain a comprehensive set of security policies aligned with ISO 27001:2022 Annex A controls. These documents are reviewed regularly and updated as our security posture evolves.

Our Statement of Applicability covers all 93 Annex A controls with documented justifications for each control's inclusion or exclusion.

  • Information Security Policy (ISMS)
  • Access Control Policy
  • Incident Response Plan
  • Business Continuity Plan
  • Risk Assessment & Treatment Plan
  • Data Classification Policy
  • Change Management Policy
  • Cryptography Policy
  • Acceptable Use Policy
  • Remote Working Policy
  • Privacy Impact Assessment
  • Statement of Applicability (93 controls)

Data Privacy

How we handle, store, and protect your data

Data Residency

All project data is stored on infrastructure you control. Database files, media uploads, and configuration remain within your deployment environment.

Data Portability

Every project is a standard Strapi instance. You can export your content, schemas, and media at any time using Strapi's built-in export tools or the REST API.

Data Deletion

When you delete a project, data enters a 30-day soft-delete period for recovery, then is permanently removed — database, files, and configuration. Final deletion is irreversible and complete.

No Cross-Tenant Access

Tenant isolation is enforced at the Kubernetes pod, database, network, and filesystem level. Network policies block all cross-tenant communication.

Free to start

Ready to simplify your content management?

Launch your first CMS project in under two minutes. No credit card required.

Get Started Free