PushMetrics is built with security as a core priority. This page summarizes our security practices and what you need to know as a user. For the full security policy, see our Security Policy.

Data Encryption

In Transit

All communications with PushMetrics are encrypted using TLS (Transport Layer Security). This applies to:

  • Browser connections to the PushMetrics web application
  • API calls
  • Connections between PushMetrics and your databases or integrations
  • Webhook and notification traffic

At Rest

All data stored by PushMetrics is encrypted at rest using AES-256 encryption. This includes:

  • Database records (Amazon RDS)
  • File storage (Amazon S3)
  • Backups

Authentication

PushMetrics uses Auth0 for user authentication, providing:

  • Secure password storage — passwords are hashed and never stored in plain text
  • Google SSO — sign in with your Google account via OAuth
  • Session management — secure session tokens with automatic expiration

For more details on Auth0's security practices, see auth0.com/security.

Database Credentials

When you connect a database to PushMetrics, your credentials are:

  • Encrypted at rest using AES-256
  • Never logged in application logs or execution outputs
  • Accessible only to the PushMetrics backend services that need them to execute your queries

We recommend creating a read-only database user for PushMetrics with access limited to only the schemas and tables your team needs. This follows the principle of least privilege.

Network Security

PushMetrics IP Address

PushMetrics connects to your databases and external services from a static IP address:

18.156.113.81/32

Use this IP to configure firewall rules and allowlists for your databases, SFTP servers, and other services.

Infrastructure

All PushMetrics infrastructure runs on Amazon AWS in European regions, with:

  • Network segmentation — production, testing, and development environments are isolated
  • VPC configuration — services run in private subnets where possible
  • AWS PrivateLink — available for customers who need private connectivity without exposing traffic to the public internet. See AWS PrivateLink Connection for setup instructions.

Access Control

User Roles

PushMetrics supports role-based access control to manage what users can do within a workspace:

  • Admin — full access to all workspace settings, integrations, user management, and content
  • User — can create and edit notebooks, reports, and tasks
  • Guest — limited read-only access

See User Management for details on managing users and roles.

Sharing & Permissions

Notebooks and reports have granular sharing settings that control who can view, edit, or execute them. See Sharing & Permissions for details.

Compliance

GDPR

PushMetrics is committed to GDPR compliance. We follow all guidelines and recommendations regarding the data and information we handle, process, and store.

Data Processing Agreement

A Data Processing Agreement (DPA) is available for customers who need it. See our DPA for the full agreement.

Data Classification

PushMetrics classifies all data into four categories, each with appropriate access controls and monitoring:

  1. Public — marketing information and public website content
  2. Internal — unreleased product information and roadmap details
  3. Private — operational data about PushMetrics
  4. Confidential — customer data and employee information

Backups & Recovery

  • Daily backups of all databases, retained for up to 30 days
  • Regular data recovery exercises to ensure backup integrity
  • Infrastructure built on Amazon AWS managed services with built-in redundancy

Incident Management

PushMetrics has a formal incident management process:

  • Monitoring — AWS CloudWatch and CloudTrail for anomaly detection and activity auditing
  • Alerting — automated alerts for suspicious or anomalous behavior
  • Response — structured incident management with root cause analysis
  • Communication — defined escalation and notification procedures

Vulnerability Management

  • Code review — all code is reviewed before release for security vulnerabilities
  • Automated scanning — third-party dependencies monitored via Dependabot for known vulnerabilities
  • Response times — critical vulnerabilities addressed within 1 day, medium risk within 8 days (based on CVSS score)
  • Security testing — semi-automatic scanning tools used for new features

Reporting Vulnerabilities

If you discover a security vulnerability in PushMetrics, please contact us at security@pushmetrics.io. We appreciate responsible disclosure and will respond promptly to all reports.