Contact our Customer Success team if you have any questions.
Matterport is committed to keeping our customers data secure, and ensuring private data is protected. The purpose of this document is to provide a high-level overview of Matterport’s security controls, in a document that does not require a non-disclosure agreement (NDA) be in place between respective organizations. The information in this document is therefore not classified as confidential. Additionally more detailed information and documentation is available under NDA, and can be accessed via an online portal provided by (www.whistic.com).
Overview of Matterport Information Security and Privacy Programs
Matterport has a formal information security and privacy program in place. The highlights are as follows:
- A documented Information Security Policy describing administrative, technical and physical controls implemented at Matterport
- Compliance self-assessments and evidence documentation available under NDA
- 3rd-party vulnerability and pen tests conducted annually - reports are available under NDA
- GDPR compliance
- US-EU and US-Swiss Privacy Shield self-certification
All Matterport employees and contractors are subject to background checks upon employment, or at the start of a contractor engagement.
Employees are required to acknowledge they have read the employee handbook.
Access to Matterport facilities is controlled via keycards, and monitored by video surveillance. Additional controls are in place for restricted areas. Note that data center access is managed by Amazon Web Services
Upon termination, a formal offboarding process is followed under the supervision of the IT and HR teams
Company-wide Information security and privacy training is conducted annually.
All Matterport applications are hosted by Amazon Web Services (AWS), and follow a shared infrastructure / multi-tenant architecture.
The following summarizes the key elements of Matterport’s infrastructure:
- Applications are hosted in the AWS us-east-1 region in Virginia, USA
- Access to production systems is managed by AWS IAM using MFA and Okta
- All data at rest is encrypted using AES-256 using AWS KMS for key management
- All data in motion on the internet is encrypted using HTTPS/TLS 1.2
- Matterport staff members are granted access to production systems only when necessary to carry out their job function, and only after access is approved by senior management
- All AWS API calls, and all AWS console/CLI activity is logged using AWS Cloud Trail
- AWS infrastructure is monitored using AWS Guard Duty and Cloud Health for vulnerabilities and suspicious activity
- Databases are backed up daily using AWS RDS built-in snapshot functionality, and stored in Amazon S3. All backups are encrypted
- Data in AWS S3 is distributed in a redundant architecture and has 11 nines of durability
- Infrastructure performance and uptime is monitoring using Datadog (internal to environment), and Site24x7 (external to environment)
AWS has comprehensive security controls and has multiple compliance certifications in place. AWS security and compliance can be reviewed here: https://aws.amazon.com/security/
Matterport Cloud Security
Matterport Cloud (https://my.matterport.com) provides user access control by means of username and passwords. MFA and SSO are not currently supported, but are being considered for future enhancements.
Matterport users typically have either an admin or (regular, or ‘Collaborator’) user role. User role functionality, however, is beyond the scope of this document, and is described in Matterport’s online user documentation :
Control 3D spaces, and associated assets created on the Matterport platform, have a simple public/private access control model as follows:
- All assets belonging to a space are private by default, and can only be accessed within Matterport Cloud by authorized users.
- If a space is not set to public, it is only accessible to 1) Collaborators that have been given Editor or Viewer access to the model, or 2) Account admins in your account, 3) Matterport staff, when necessary.
- If a space is set to public, users who have a URL link to it can access it.
- Access to a space is logged and tagged with at least the source IP address and timestamp, however these logs are typically only available to Matterport staff
Matterport Security FAQs
In addition to the information contained in the previous sections, the following table contains answers to frequently asked questions about Matterport’s information security and privacy posture.