A monitoring tool sees a lot — your URLs, your alert routing, your incident history. Here's what we commit to, what we will never do, and where our compliance posture is honestly incomplete.
Every byte that crosses the wire is over TLS 1.2+. Sensitive fields (custom request headers, signing secrets) are additionally encrypted at the application layer before being written to durable storage.
Every outbound webhook is cryptographically signed so your receiver can be certain it came from us, not a spoofer. You rotate the signing secret in one click.
Your data lives in a row that is filtered by your organization on every read. Cross-tenant access returns 404 — not 403 — so a foreign API token can't even confirm a resource exists. Verified end-to-end with a two-tenant integration test on every release.
Every account-mutating action — create, update, delete, role change, secret rotation — is recorded with the actor, the resource, and a timestamp. You can review and export your org's log at any time.
When you give us a URL — for a monitor target, an alert webhook, or an event-webhook subscription — we resolve it before the row is even saved and reject anything pointing at private, link-local, loopback, or cloud-metadata addresses. You see the rejection immediately (MONITOR_TARGET_UNSAFE / WEBHOOK_URL_UNSAFE) instead of discovering it at first-check time. Your monitoring tool can't be turned into a probe of your own internal network.
Every mutating endpoint accepts an Idempotency-Key. Same key + same body returns the cached response (your agent's retry is safe). Same key + DIFFERENT body returns 409 IDEMPOTENCY_KEY_REPLAY_CONFLICT — surfacing a buggy retry loop immediately instead of silently doing the wrong thing.
Every event-webhook delivery is HMAC-SHA256 signed with your org's shared secret. Receivers verify with constant-time compare. We retry up to 5 times with exponential backoff + 30% jitter, then mark the delivery dead. A subscription that fails 10 deliveries in a row auto-disables — a misconfigured endpoint can't drain our queue or wake our on-call.
Webhook signing secrets, API tokens, and heartbeat URLs can each be rotated independently from the dashboard. No support ticket required.
Personal access tokens for scripts and CI are stored as one-way hashes — even we can't recover the plaintext if you lose it. Show-once at creation.
The full platform is self-hostable on infrastructure you control — same containers, same configuration we run. Your telemetry never has to leave your environment, and you can inspect exactly what the deployment does on your own hardware.
We will not pretend to have things we don't. If any of these is a hard requirement, we will tell you we are not the fit before you sign.
We have not paid an auditor to certify our controls. If you need that letter today, we are not the fit. If you can wait or if your compliance team accepts source-available alternative audit, talk to us.
We will not sign a BAA today. Do not put PHI through our hosted service. Self-host if you need HIPAA-grade isolation.
Our hosted SaaS runs in one region. If your data residency policy requires EU-only or India-only processing, self-host.
Email [email protected] with details and (if you'd like) a PGP key for response. We acknowledge within 1 business day, fix critical issues within 7 days, and credit reporters publicly with their permission. See /.well-known/security.txt for the full policy.
No NDA, no sales call gating, no "Talk to us for security details."