Security built into your data, not bolted on after the fact.
MetalogixERP enforces strict per-tenant isolation on every record, deep in your data — not in app code that can slip. Sign-in rotates session tokens with reuse detection and locks accounts after five failed attempts. We publish what we do and we mean it.
Four guarantees we hold ourselves to.
Tenant isolation, auth hygiene, audit trail, and edge hardening — defined, implemented, and documented. Not marketing claims.
Strict isolation at the data layer
Every business record is walled off by tenant, enforced deep in your data rather than in app code that can slip. Isolation also runs by company, so a multi-entity business keeps each legal entity separated too. A bug in application logic simply cannot leak one customer’s data to another.
- Per-tenant isolation on every record
- Per-company isolation within a tenant
- Enforced at the data layer, not app code
- Elevated access reserved for system tasks only
Auth that respects modern threats
Signed sessions with strict, fully-validated tokens. Session rotation with reuse detection — a replayed token kills the entire session family instantly. Accounts lock after 5 failed attempts. Password-reset links are single-use, expire in an hour, and can’t be replayed.
- Strictly validated signed sessions
- Session rotation with reuse detection
- Account lockout after 5 attempts
- Single-use, expiring password resets
Audit trail on every record
Every record carries its full history — who created it, who last touched it, and when. Nothing is ever truly deleted; records are retired, not erased. The audit log captures every change with the actor, a before/after diff, and a request trace, all searchable in the audit module.
- Non-guessable record IDs
- Retire-don’t-erase — no hard deletes
- Audit log with actor, diff, and request trace
- Fast time-range search across history
Edge + transport
A hardened edge with the full set of modern browser-security headers, encrypted transport everywhere, and locked-down session cookies that script can’t read or steal. Sign-in and password-reset endpoints are rate-limited, and every tenant gets fair-use API caps by plan.
- Full set of browser-security headers
- Locked-down, script-proof session cookies
- Rate-limited sign-in and reset endpoints
- Per-tenant fair-use API caps by plan
Aligned with how SMBs are actually audited.
No vague claims. Each framework gets a specific status — live, in progress, on request, or planned — and an honest description of what it covers.
SOC 2 Type II
In progressAudit in progress; report available under NDA. Controls cover security, availability, confidentiality.
GDPR
LiveData processing addendum on request. EU + US data residency choice. DSAR workflows in the audit module.
CCPA
LiveRight to access + delete handled via audit module DSAR workflow.
HIPAA-ready
On requestBAA available for healthcare-adjacent customers. Encrypted at rest + in transit, audit log per access.
ISO 27001
PlannedRoadmap 2026 Q4.
PCI DSS
Out of scopeTokenized payments via Stripe — MetalogixERP never stores card numbers.
How a single API request is secured, end to end.
Five enforcement points between client and row. Each one is independent — defense in depth means a slip at one layer is caught by the next.
- ClientBrowser or mobile · session held in a script-proof cookie
- Secure edgeEncrypted transport · security headers · rate-limit
- ApplicationValidate the signed session · validate every input
- Isolation contextTenant and company stamped onto the request
- Your dataEvery query filtered to your tenant and company
The edge is the first filter. It encrypts transport, applies the full set of browser-security headers, and rate-limits unauthenticated traffic. A flood on the sign-in endpoint never reaches the application.
The application enforces shape. The signed session is fully validated before anything runs, and every request body and parameter is checked against a strict schema. Reject early, reject loud.
Your data enforces ownership. Before any query runs, the request's tenant and company are stamped onto the session. Every read, update, and delete is then filtered to exactly what you own. A bug in application logic cannot return a record from another customer — the record simply never comes back.
Built to survive bad days, too.
Continuous backup, tested recovery, residency choice, customer-controlled encryption, and AI that inherits your access — not bypasses it. The operational floor you need before signing the MSA.
Backups
Continuous transaction-level backups plus nightly full backups. 30-day point-in-time recovery on Growth+. 90-day on Enterprise.
RTO / RPO
Recovery time objective: 1 hour. Recovery point objective: 15 minutes. Tested quarterly.
Data residency
EU (Frankfurt) or US (Virginia). Customer choice at provision. No cross-region replication without explicit consent.
BYOK
Bring-your-own-key encryption available on Enterprise. AWS KMS or GCP KMS, your account, your rotation policy.
AI & MCP access
The copilot and the MCP server act as the signed-in user — the session is forwarded, so every AI read and write passes the same isolation rules. An agent never sees a record the user could not. Eight model providers (OpenAI, Anthropic, Gemini, OpenRouter, self-hosted Ollama, plus CLI auth), no standing super-user.
Found something? Tell us. We'll respond.
We run a private bug bounty with a 30-day SLA on triage. Critical issues get same-day response. Hall of fame for credited researchers.
Email peter@metalogix.solutions. Please give us reasonable time to remediate before public disclosure. We do not pursue legal action against good-faith research.
- 30-day triage SLA, same-day for criticals
- Acknowledged in our security hall of fame
- Safe harbor for good-faith research
peter@metalogix.solutions
One human reads every inbound. Encrypted reports welcome — GPG key available on request, replied with the fingerprint inline.
Want a security review walkthrough?
Our CTO will walk your team through how we isolate your data, secure sign-in, and audit every change. 45 minutes, live.