Security

Your clients' data deserves verified security.

Matter holds CASA Tier 3 certification. An independent, authorised security lab manually tested the application across all 14 OWASP ASVS categories.

What makes Matter secure?

Migration practices handle highly sensitive client records. Security claims only matter if the application itself was independently tested for flaws. Matter holds CASA Tier 3 certification, which means an authorised security lab manually tested the application across all 14 OWASP ASVS categories.

Why it matters

Migration practices handle passports, financial records, health documents, and other files that create real harm if exposed.

What to look for

Claims like "SSL" and "cloud hosting" are table stakes. They do not prove the application was tested for vulnerabilities.

What Matter proves

Matter holds CASA Tier 3, which requires manual penetration testing by an authorised security lab across the OWASP ASVS.

See CASA Tier 3 Review technical controls Read security FAQs

CASA Tier 3

What CASA Tier 3 actually means.

The Cloud Application Security Assessment was developed by the App Defense Alliance, a coalition led by Google, Meta, and Microsoft. It is built on the OWASP Application Security Verification Standard (ASVS), a widely used standard for application security testing.

CASA has three tiers. They are not interchangeable.

1

Tier 1: Self-assessment

The developer fills out a questionnaire about their own security practices.

2

Tier 2: Automated scanning

An automated tool scans the application for known vulnerabilities. Better than self-assessment, but limited to what scanners can detect.

3

Tier 3: Independent manual penetration testing

An authorised security lab manually tests the application across all 14 OWASP ASVS categories, including authentication, session management, access control, cryptography, and error handling.

Matter holds Tier 3. Recertified annually. Each assessment produces a formal Letter of Validation from the authorised lab.

CASA Tier 3 vs ISO 27001. Different things.

ISO 27001 certifies your security processes. It says your organisation has policies for managing information security: access reviews, incident response plans, risk registers. It does not test whether the application itself has vulnerabilities.

CASA Tier 3 certifies the actual application. A security lab sat down and tried to break it, methodically, across 14 categories of known attack vectors.

They are complementary. One certifies the organisation. The other certifies the code.

Engineering

Built by engineers with deep cloud-security experience.

The team behind Matter spent decades building and operating cloud software at Atlassian. That background shapes how Matter is designed, reviewed, and operated.

Threat modelling, secure code review, practice isolation, and annual independent testing are part of the product discipline, not an afterthought.

Technical details

Under the hood.

Encryption at rest and in transit

All data encrypted with AES-256 at rest. TLS 1.3 for every connection. No exceptions.

Practice isolation

Every migration agency gets an isolated practice. Your data is separated from other agencies at the infrastructure level, not just the application level.

Role-based access controls

Staff members see only what they need. Principals control access. Granular permissions per role.

Audit logging

Every action recorded with timestamps and attribution. If OMARA asks who accessed a file and when, you have the answer.

No client data in AI training

Matter uses AI features for automation. Your clients' data is never used to train models. Full stop.

Security FAQ

Common questions

Direct answers for firms evaluating Matter's security posture.

What is CASA Tier 3 certification?

CASA Tier 3 is the highest tier of the Cloud Application Security Assessment, developed by the App Defense Alliance. It requires independent manual penetration testing across all 14 categories of the OWASP Application Security Verification Standard.

See the breakdown

How does CASA Tier 3 differ from ISO 27001?

ISO 27001 certifies how an organisation manages security. CASA Tier 3 verifies that the actual application was independently tested for security flaws. They are complementary, but they are not the same thing.

Compare the two

How does Matter protect client records day to day?

Matter combines encryption at rest and in transit, isolated practices, role-based access controls, and audit logging so firms can control access and trace activity when needed.

See technical controls

Is client data used to train AI models?

No. Matter can use AI features for automation, but client data is not used to train models.

See AI handling

Related pages

See how security shows up across Matter.

Matter overview

See how the portal, record, and automation layers fit together in the full product.

Open page

Agent portal

See how staff handle requests, notes, history, and updates on the file itself.

Open page

Client portal

See the client-side portal clients use to upload documents, track progress, and read updates.

Open page

Compare migration software

Review the comparison pages if you are weighing Matter against other migration products.

Open page

Security you can verify, not just take our word for.

Try for free Compare migration software