// Trust & Security Report
Metabase, Inc.
Open-source business intelligence and embedded analytics platform, offered as self-hosted Open Source, self-hosted Enterprise/Pro (Metabase EE), and Metabase Cloud (managed hosting), plus an embedded/OEM analytics SDK and Metabot AI conversational querying feature.
Certifications held
3
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on metabase.com“Our SOC 2 Type II report attests to the controls Metabase has in place governing the security of customer data.”
Verify on metabase.com“Our SOC 1 Type II report provides assurances that Metabase has internal control over financial reporting.”
Verify on metabase.com“At Metabase, we've worked to make our products, processes, and procedures GDPR-compliant.”
> Show 6 unconfirmed / not-held certifications
source: trust.metabase.comNo public evidence: Metabase's own Trust Center (trust.metabase.com, Drata-powered) lists only SOC1 Type II, SOC2 Type I, and SOC2 Type II documents under Compliance; ISO 27001 is not listed there or on metabase.com/security. Third-party mentions of "ISO 27001 + Metabase" found in search were for managed-hosting resellers (e.g. Stellar Hosted, Elestio) certifying their own hosting infrastructure, not Metabase, Inc. itself.
source: metabase.comNo public evidence of a Metabase-issued HIPAA attestation or BAA offering on metabase.com/security or trust.metabase.com. Community/support content instead frames HIPAA as something the customer must configure and operate on top of Metabase (self-hosted/air-gapped deployment, access controls, encryption), not a certification Metabase itself holds.
source: trust.metabase.comNo public evidence on metabase.com/security or trust.metabase.com. Payment processing is delegated to Stripe (listed as a subprocessor), which carries its own PCI DSS attestation; that is the subprocessor's certification, not Metabase's.
source: trust.metabase.comNo public evidence of a FedRAMP authorization on metabase.com or trust.metabase.com.
source: trust.metabase.comNo public evidence of a CSA STAR registry entry or self-assessment on metabase.com or trust.metabase.com.
source: trust.metabase.comNo public evidence. Metabase ships an AI feature (Metabot/Metabase AI) but there is no ISO 42001 or CSA STAR AI certification referenced on its trust center or security page.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Not fixed/guaranteed in the public policy for the standard Cloud offering; the hosting privacy policy states information may be transferred, processed, and stored anywhere in the world, including the United States. AWS us-east-1 is listed as the primary infrastructure subprocessor location in the Trust Center.
Metabase's own documentation states Metabot (the AI querying feature) does not ingest, store, or sync customer data - only the current conversation is retained for the session, and AI operates over metadata/semantic-layer definitions while queries run against the customer's own warehouse, not Metabase servers. Metabase Cloud's Terms of Service include a Data Processing Agreement covering GDPR obligations. Self-hosted customers bring their own LLM key/provider, keeping AI traffic inside their own environment. No contradiction found between marketing and technical docs on this point, but AIFOXX should note this reflects the vendor's own claims about a feature (Metabot) that was not independently audited by this assessment.
// Security controls
Encryption at rest (sensitive fields)
Row-level encryption of connection strings and settings using AES256 + SHA512
metabase.comPenetration testing
Independent application-level and infrastructure-level penetration tests conducted at least twice per year, with a published 'Annual Pen Test - Remediation' artifact in the Trust Center
trust.metabase.comSelf-hosted data access
If you self-host your Metabase instance, we have no access to any of your data, unless you opt in to anonymized usage stats, which contain no personally identifiable information
metabase.comPublished security policies
Vulnerability Management, Vendor Management, System Access Control, Risk Assessment, Responsible Disclosure, Physical Security, Password, and Information Security policies listed
trust.metabase.comSubprocessors
Stripe (payments, USA), AWS (cloud infra/storage, us-east-1), Docusign (contracts, USA), OpenAI (US + worldwide), Grain (AWS USA), Hotjar (EU)
trust.metabase.com// Products & data scope
data: Runs entirely on customer infrastructure; Metabase, Inc. has no access to customer data by default
Free, self-hosted, `docker run` deploy; no cert coverage from Metabase since data never touches their systems
data: Runs on customer infrastructure; adds SSO, permissions, auditing, and embedding features
Same data-locality posture as Open Source; licensing/token validation may call Metabase servers
data: Metabase-managed AWS infrastructure (us-east-1) hosts the application and customer-connected data source credentials
This is the deployment covered by the SOC 1 Type II and SOC 2 Type II reports in the Trust Center
data: Depends on hosting choice (self-hosted vs Cloud) made by the embedding customer
Inherits the security posture of whichever deployment model (self-hosted or Cloud) the customer picks
data: Operates over metadata/semantic definitions; queries execute against the customer's own data warehouse, not Metabase's servers; self-hosted customers can bring their own LLM key
Cloud version's default AI provider is not fully specified publicly; OpenAI is listed as a Trust Center subprocessor
// What to watch
- Multiple third-party aggregator sources (search-engine summaries, RFP/vendor-comparison sites) claim Metabase holds ISO 27001, HIPAA, PCI DSS, FedRAMP, and CSA STAR certifications. None of these are corroborated by Metabase's own Trust Center (trust.metabase.com) or its /security page, which list only SOC 1 Type II and SOC 2 Type I/II. Some of the ISO 27001 claims specifically trace back to third-party managed-hosting resellers of Metabase (e.g. Stellar Hosted, Elestio) certifying their own infrastructure, not Metabase, Inc. This is a host/reseller-vs-vendor conflation risk; AIFOXX should not list these certs as held.
- Metabase's marketing home page states 'it's secure and compliant (SOC1, SOC2, GDPR, CCPA, and more)' - the 'and more' is vague and unverified; graded only the specific named items.
- The Cloud data-region commitment is not firmly pinned down in the public hosting privacy policy (it reserves the right to process data 'anywhere in the world'), which may be a gap for EU-data-residency-sensitive buyers despite the GDPR-compliance posture claim.
- AI-training and data-non-ingestion claims for Metabot (no ingestion/storage of customer data) come from Metabase's own documentation but were not independently audited as part of this assessment; treat as vendor-asserted.
// At a glance
Pricing model
Freemium: free self-hosted Open Source edition; paid Pro/Enterprise self-hosted tiers; paid Metabase Cloud (usage/seat-based) and Embedded Analytics pricing tiers
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Metabase, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.metabase.com