Matterport Information Security Overview & Frequently Asked Questions

Contact our Customer Success team if you have any questions.

Introduction

Matterport is committed to keeping our customers data secure, and ensuring private data is protected. The purpose of this document is to provide a high-level overview of Matterport’s security controls, in a document that does not require a non-disclosure agreement (NDA) be in place between respective organizations. The information in this document is therefore not classified as confidential. Additionally more detailed information and documentation is available under NDA, and can be accessed via an online portal provided by (www.whistic.com).

 

Overview of Matterport Information Security and Privacy Programs

Matterport has a formal information security and privacy program in place. The highlights are as follows:

  • A documented Information Security Policy describing administrative, technical and physical controls implemented at Matterport
  • Compliance self-assessments and evidence documentation available under NDA
  • 3rd-party vulnerability and pen tests conducted annually - reports are available under NDA
  • GDPR compliance
  • EU-US and Swiss-US Privacy Shield self-certification

 

Personnel

All Matterport employees and contractors are subject to background checks upon employment, or at the start of a contractor engagement.

Employees are required to acknowledge they have read the employee handbook.

Access to Matterport facilities is controlled via keycards, and monitored by video surveillance. Additional controls are in place for restricted areas. Note that data center access is managed by Amazon Web Services

Upon termination, a formal offboarding process is followed under the supervision of the IT and HR teams

Company-wide Information security and privacy training is conducted annually.

 

Matterport Infrastructure

All Matterport applications are hosted by Amazon Web Services (AWS), and follow a shared infrastructure / multi-tenant architecture.

The following summarizes the key elements of Matterport’s infrastructure:

  • Applications are hosted in the AWS us-east-1 region in Virginia, USA
  • Access to production systems is managed by AWS IAM using MFA and Okta
  • All data at rest is encrypted using AES-256 using AWS KMS for key management
  • All data in motion on the internet is encrypted using HTTPS/TLS 1.2
  • Matterport staff members are granted access to production systems only when necessary to carry out their job function, and only after access is approved by senior management
  • All AWS API calls, and all AWS console/CLI activity is logged using AWS Cloud Trail
  • AWS infrastructure is monitored using AWS Guard Duty and Cloud Health for vulnerabilities and suspicious activity
  • Databases are backed up daily using AWS RDS built-in snapshot functionality, and stored in Amazon S3. All backups are encrypted
  • Data in AWS S3 is distributed in a redundant architecture and has 11 nines of durability
  • Infrastructure performance and uptime is monitoring using Datadog (internal to environment), and Site24x7 (external to environment)

AWS has comprehensive security controls and has multiple compliance certifications in place. AWS security and compliance can be reviewed here: https://aws.amazon.com/security/

 

Matterport Cloud Security

Matterport Cloud (https://my.matterport.com) provides user access control by means of username and passwords. MFA and SSO are not currently supported, but are being considered for future enhancements.

Matterport users typically have either an admin or (regular, or ‘Collaborator’) user role. User role functionality, however, is beyond the scope of this document, and is described in Matterport’s online user documentation :

https://support.matterport.com/hc/en-us/articles/115004080628-Learn-about-Collaborators

 

Space Access

Control 3D spaces, and associated assets created on the Matterport platform, have a simple public/private access control model as follows:

  • All assets belonging to a space are private by default, and can only be accessed within Matterport Cloud by authorized users.
  • If a space is not set to public, it is only accessible to 1) Collaborators that have been given Editor or Viewer access to the model, or 2) Account admins in your account, 3) Matterport staff, when necessary.
  • If a space is set to public, users who have a URL link to it can access it.
  • Access to a space is logged and tagged with at least the source IP address and timestamp, however these logs are typically only available to Matterport staff

 

Matterport Security FAQs

In addition to the information contained in the previous sections, the following table contains answers to frequently asked questions about Matterport’s information security and privacy posture.

Where is the infrastructure located?
Amazon Web Services us-east-1 region in Virginia, USA.
Can a customer’s data be located in another country or AWS region?
No.
Does Matterport use a CDN?
Yes, Fastly.
Are both public and private spaces cached in the Fastly CDN?
Yes.
Can customers control which countries their spaces are cached in?
No, however the CDN is not pre-loaded, so model data is only cached at the closest geographical Fastly POP.
Are there any scalability upper limits for space (3D model) distribution?
No, there are no practical upper limits.
Does each customer have a dedicated environment?
No, the Matterport Cloud is a shared, multi-tenant environment which is logically segregated.
Who can access Matterport infrastructure?
Only Matterport staff with elevated privileges, approved by management, can access the environment.
Is Matterport ISO-27001 certified?
No, formal audits have not taken place, however Matterport follows many of the ISO 27001 guidelines.
Does Matterport have an Information Security Policy? 
Yes, available under NDA.
Is encryption used?
Yes, data at rest is encrypted using AES-256 with AWS KMS for key management. All data in motion on the internet uses HTTPS with TLS 1.2.
Does the Javascript for 3D Showcase have access to the host web page?
No, 3D Showcase is contained in an iframe and has a separate domain from the host web page.
Does Matterport Cloud support SSO / SAML 2.0 / ADFS/ Okta etc,?
No, SSO is not supported.
Does Matterport Cloud enforce password rules?
Yes, admin account passwords must consist of 8 characters, 1 uppercase, 1 lowercase, 1 digit.
Does Matterport conduct 3rd party vulnerability / pen testing?
Yes, annual tests are conducted - results are available under NDA.
How does Matterport protect its environment from DDoS attacks?
All of Matterport’s web infrastructure is located behind the Fastly CDN that proxies all requests and protects the infrastructure from DDoS attacks.
Are logs maintained?
Logs for all AWS internal activity, and also all access to Matterport applications and spaces are maintained, however these logs are generally not available to customers.
Is there a formal change management process in place?
All software and infrastructure changes are managed using Jira, and require multiple levels of approval.
Does Matterport have a formal privacy program?
Yes, Matterport has a formal program, and complies with the GDPR and all other applicable US and international regulations.
Is there a formal privacy policy in place? 
Yes, described in the privacy notice: https://matterport.com/legal/privacy-policy/
Is there an incident response policy in place? 
Yes, can be reviewed under NDA.
Have more questions? Submit a request