Skip to content
Security & reliability

Specific commitments, not waffle.

Your stock, prices, margins and customer list are the business. Here is exactly how MetlSys protects them — stated precisely, because “enterprise-grade” means nothing on an audit day.

Tenant isolation by design

Each company lives in its own Postgres schema. Every request is checked — authentication, company membership, then role — before it touches data, and row-level security backs the shared tables as defence in depth. One merchant can never read another's stock, orders or ledger.

SCHEMA-PER-TENANT · APP-ENFORCED

Roles & two-factor

Seven operational roles — admin, manager, sales, production, warehouse, accounts, read-only — gate what each person can do, not just see. TOTP two-factor is per user and can be required company-wide.

REQUIRE_ROLE · TOTP MFA

An audit trail that names names

Database triggers record every insert, update and delete on financial, inventory and traceability tables — old values, new values, who, when. Voids and un-despatches are two-step reversals, never silent edits.

IMMUTABLE AUDIT LOG

Private files, short-lived links

Mill certificates and document bundles live in private storage buckets. Access is only ever by signed URL — portal bundle links expire in minutes.

SIGNED URLS · PRIVATE BUCKETS

A portal that can't wander

Customer portal logins are scoped to exactly one customer account, fixed at login — never taken from user input. Buyers see their orders and documents; nothing else exists for them.

CUSTOMER-SCOPED ACCESS

AI inside a box

Assistant report queries are read-only, single-statement, and confined to your company's schema. Writes are typed actions behind explicit confirmation. Your data is not used to train AI models.

READ-ONLY SQL · CONFIRMED WRITES

Platform

Where it runs, plainly.

DatabaseManaged Postgres 16 on Supabase, hosted in London (eu-west-2). Your primary data store stays in the UK.
EncryptionTLS in transit; encrypted at rest on the managed platform.
BackupsPlatform-managed backups on Supabase. Recovery-point detail published once verified — no glossy RPO claims we haven't tested. [CONFIRM-WITH-MARK: backup cadence/PITR wording]
GDPRData-subject export, erasure (anonymise-in-place, preserving statutory financial records) and retention purges are built into the product, and every request is logged.
Development & supportBuilt and supported in the UK by Reload IT Ltd.

What you won’t find here: badges we haven’t earned. No SOC 2, ISO 27001 or recovery-time promises appear on this page until they are real and evidenced.

Ask the security questions directly.

Architecture, isolation, audit, data residency — put them to the person who built it, in the demo.