Supermetal Documentation

Supermetal's security architecture is designed to protect your data while maintaining the flexibility of our Bring Your Own Cloud (BYOC) model. This document provides information on how we secure both the Supermetal Control Plane and Data Plane components.

Security Architecture

Supermetal employs a secure, split-architecture model that separates our responsibilities from yours:

Control Plane: Managed by Supermetal, providing orchestration, monitoring, and management capabilities
Data Plane: Deployed in your cloud environment (AWS or Azure), processing your data within your security perimeter

Authentication & Access Control

Control Plane Authentication

Supermetal's Control Plane implements multiple layers of authentication to protect your account and data:

Authentication Method	Description
User Authentication	Access to the Supermetal Cloud Console requires strong user authentication
SSO Integration	Support for SAML/OIDC providers like Okta, Azure AD / Microsoft Entra ID, Google Workspace
Multi-Factor Authentication	Optional but recommended MFA for additional account security
API Authentication	API keys for programmatic access with time-based expiration

Role-Based Access Control (RBAC)

Supermetal's access control system enables precise permission management:

Predefined Roles: Admin, Operator, Viewer roles with appropriate permissions
Custom Roles: Create roles with specific permissions for your organization's needs
Resource-Level Permissions: Control access to specific connections, and environments

Network Security

Control Plane Network Security

All Control Plane services operate within private subnets with strict security controls
TLS 1.2+ for all communications with the Control Plane

Data Plane Network Security

The Data Plane operates entirely within your cloud environment:

VPC/VNet Isolation: The Supermetal Agent runs within your private virtual network
Private Connectivity Options:
- AWS: PrivateLink for secure connectivity to the Control Plane
- Azure: Private Link for secure connectivity to the Control Plane

Data Security & Encryption

Encryption in Transit

Browser to Console: HTTPS with TLS 1.2+
Control Plane to Data Plane: TLS 1.2+ over private connections
Data Plane to Databases: TLS connections for database communication

Encryption at Rest

Control Plane: All configuration data encrypted at rest using AWS KMS keys (AES-GCM-256)
Data Plane:
- Buffer bucket/container is encrypted using your cloud provider's KMS/Key Vault encryption
- Customer-managed keys (CMKs) support for enhanced control

Data Processing

Data remains within your cloud environment
No persistent data storage in the Supermetal Control Plane
Only metadata and telemetry are sent to the Control Plane

Secrets Management

Supermetal implements a secure approach to credential management:

Zero Knowledge Design: Supermetal control plane stores encrypted database credentials, only the data plane agents have access to decrypt the credentials
Cloud Provider Integration:
- AWS: Integration with Secrets Manager for credential retrieval
- Azure: Integration with Key Vault for secure credential storage

Shared Responsibility Model

Supermetal operates on a shared responsibility model for security in our BYOC deployments. This model clearly defines which security aspects are managed by Supermetal and which are the customer's responsibility.

Category	Security Area	Supermetal Responsibility	Customer Responsibility
Infrastructure & Compute	Control Plane infrastructure	✓
	Data Plane infrastructure	✓
Software & Updates	Control Plane security	✓
	Data Plane security	✓
	Control Plane updates	✓
	Data Plane updates	✓ (provides)	✓ (applies)
Network Security	Network security for Control Plane	✓
	Network security for Data Plane	✓	✓ (allow access)
	VPC/VNet configuration	✓ (requirements)	✓ (implementation)
	Private Link/Endpoint (Control Plane side)	✓
	Private Link/Endpoint (Customer side)		✓
Identity & Access Management	Control Plane authentication	✓
	User access management	✓ (platform controls)	✓ (user assignment)
	IAM roles/policies for Agent	✓ (guidance)	✓ (implementation)
	Database access controls		✓
Data Security	Encryption of Control Plane data	✓
	Encryption of Data Plane / Agent buffer	✓ (provides)	✓ (applies)
	Database security		✓
	Data residency controls	✓ (options)	✓ (enforcement)
	Database credentials management	✓ (encryption)	✓ (management)
Monitoring & Incident Response	Monitoring of Control Plane	✓
	Monitoring of Data Plane	✓ (agent health)	✓ (environment)
	Security incident response (Control Plane)	✓
	Security incident response (Data Plane)	✓ (assistance)	✓ (primary)
	Audit logging for Control Plane	✓
	Audit logging for Data Plane	✓ (agent logs)	✓ (infrastructure)
Compliance & Governance	Regulatory compliance documentation	✓ (platform)	✓ (overall)
	Compliance certifications	✓ (platform)
	Security policies and procedures	✓ (platform)	✓ (organization)
	Risk assessments	✓ (platform)	✓ (implementation)

Supermetal is responsible for the security of the Control Plane, the Agent security, platform authentication, encryption of Control Plane data, and providing security requirements and guidance for the Data Plane.
Customers are responsible for securing their cloud environment, implementing IAM roles/policies, database security, and providing the cloud infrastructure where Supermetal manages the Data Plane components.
Shared responsibilities include:
- Network security for Data Plane: Supermetal manages the security of Data Plane components, while customers configure their cloud environment to allow appropriate access.
- Data Plane monitoring: Supermetal monitors agent health and functionality, while customers monitor the infrastructure environment.
- Security updates: Supermetal provides secure updates, while customers are responsible for applying them.
- Encryption: Supermetal designs encryption requirements, while customers implement them in their environment.

Security

On this page