Trust & Security

Security at Metatate

A decision layer holds the rules behind your data — so it has to clear a higher bar than the tools around it. Metatate keeps policies where your data lives, gives agents read-only answers, and isolates every tenant by construction.

Talk to us about a security review

In your account, not ours

On Snowflake, Metatate runs as a Native App inside your own account. Policies are authored, stored, and evaluated where your data already lives; Cortex Agents and Cortex Code call the decision layer over MCP or as native SQL functions with zero data egress.

Metatate for Snowflake →

Tenant-scoped by construction

On the cross-platform product, every environment gets its own scoped MCP endpoint. Agents authenticate with bearer tokens you issue and revoke from the app, and the tenant context is resolved from the token and pinned on every read — there is no cross-tenant query path.

Metatate Platform →

Agents get answers, never write access

The MCP tools agents call are read-only and advisory by contract: they never approve, publish, mask, block, or write governance state. An agent can ask what the rules are and whether a use is allowed — changing the rules stays with people, in the app, behind your review flow.

How the MCP server works →

Independently audited

Metatate, Inc. has completed a SOC 2 Type I examination against the Security trust services criteria. The full report is available to prospective customers under NDA.

Request the report →

Control families in the examination

Change management

Encryption standards

Identity and access management

Security awareness training

Security incident response

Security monitoring and reporting

Threat and vulnerability management

Vendor risk management

Data handling at a glance

Everything in transit is encrypted with TLS — the app, the MCP endpoint, and every connector.

Warehouse and database credentials live in a dedicated secrets vault, encrypted at rest and decrypted only at connection time.

Tenant isolation is enforced at the database layer with row-level security, not just in application code.

A current subprocessor list is available on request.