Thank you for visiting We currently use Google Translate for your translation experience. We know that this does not translate our content optimally. Therefore, we are currently working hard to make Metrc content available to you on a German platform. We hope to welcome you soon on


Data and security

With a commitment to upholding the highest industry standards, Metrc enables the visibility of secure supply chains through powerful data protections and system safeguards.

A security support employee talking on a headset

What you can see, you can solve.

Multi-Factor Authentication (MFA)

To prevent social engineering attacks, one of the most common methods of data breaches, Metrc utilizes a configurable MFA that can be enabled within the SaaS.

User Access Management

Metrc enables role-based security via defined user roles, which includes granular permission granting. Role-based security makes user authorization easier to manage, ensuring each user has exactly the permissions they need.

Data Encryption

Use of AES-256-bit encryption enhances the security of a message or file by scrambling its contents. This ensures all your data is protected by a complex and secure encryption, at rest and in transit.

Load Balancing & Uptime

Load balancing is a technique used to distribute network or application traffic across multiple servers, resulting in increased capacity and reliability. This helps us achieve our 99.97% uptime, making Metrc the most reliable track and trace SaaS available.

24/7 Monitoring

Metrc networks and systems are designed to defend your data from malware, unauthorized software, and all forms of malicious activity.

Data Security Training

Through continued investment in security awareness and protection, each Metrc employee is thoroughly trained to protect your data as their top priority.

Proven security

Through externally validated data policies and procedures, we stand firm in our data security commitments.

SOC 2 Type II

Metrc received a SOC 2® report from A-LIGN, a third-party auditor, who performs security audits and validates use of sound security measures and practices. Being SOC 2 compliant means proper security systems are implemented around three essential Trust Services Criteria: security, availability, and confidentiality.

PCI-DSS Compliant

The Payment Card Industry Data Security Standards, or PCI-DSS, is a set of prescriptive requirements to which an organization must adhere in order to be considered compliant. The Attestation of Compliance from our selected Qualified Security Assessor provides an independent auditor’s assessment results after testing Metrc security controls.


The Federal Risk and Authorization Management Program, or FedRAMP, is a government-wide program that provides a standardized approach to security. This new level of data security, which extends beyond the common 3 tier ranking system, is exclusively reserved for vetted government-affiliated operations. Utilizing the Azure Government Cloud (Azure Government), Metrc can deploy our track-and-trace system in a FedRAMP authorized environment. Learn more.

NIST 800-53

The National Institute of Standards and Technology (NIST) provides guidance for organizations regarding how to better manage and reduce cybersecurity risk by using the NIST 800-53 rev. 5 security controls as a framework. Security controls were tailored to our infrastructure’s unique risks. Regular internal auditing via formal information security reviews tests the confirmation of the efficacy of the NIST 800-53 based security controls.

Veracode Verified

When acquiring software, customers and prospects deserve to know how secure the software is. As part of Veracode Verified, Metrc can demonstrate through a seal and provide an attestation letter from an industry leader that the application has undergone security testing as part of the development practice. Additionally, participating in the program ensures that our software meets a high standard of application security, reducing risk for the customer. Learn more.


Metrc provides all personnel with security awareness training. This activity is part of initial training for new personnel, before authorizing access to critical systems during onboarding, and at least annually thereafter. Developers specifically perform OWASP Top 10 based trainings and have access to remediation for flaws detected during static code scans of the Metrc system code base. Learn more.

Translate »