Security

Security & data residency

The short version: customer data lives in the EU, backups are continuous, secrets are encrypted at rest, and the API is scoped per key.

Data residency

All customer data — accounts, monitor configurations, check logs, downtime events, notification logs, status pages — lives on Postgres in Falkenstein, Germany (Hetzner FSN1). We do not replicate or back up customer data outside the EU.

The US-East and APAC probe instances are stateless — they run checks and POST results over HTTPS to the EU primary, then immediately forget. No customer data is persisted outside the EU.

Backups & recovery

  • Daily Postgres backups via pg_basebackup, retained 30 days in the same EU region, encrypted at rest with AES-256.
  • WAL archiving for 30-day point-in-time recovery to any second within the window.
  • Quarterly restore drill validates that backups are readable and complete.
  • RPO: ≤ 5 minutes. RTO: ≤ 4 hours for catastrophic primary failure.

Secrets & credentials

  • API keys: stored as SHA-256 hashes. The full key is shown to the user once at creation and never again.
  • Notification channel configs (Slack webhooks, Telegram bot tokens, Twilio creds, PagerDuty routing keys) stored encrypted at rest in Postgres.
  • Probe ↔ main app traffic: HMAC-SHA256 signed JWT, 24-hour TTL, rotated daily.
  • Session cookies: httpOnly, sameSite=lax, secure in production. 30-day expiry.

Access control

  • API keys are per-user and scoped: monitors:read, monitors:write, events:read, etc.
  • Production database access is limited to a single SRE; all queries audit-logged.
  • Admin dashboard (/admin/*) requires isAdmin flag; non-admins receive a 404, not 403.

GDPR

  • Data Processing Agreement auto-issued at signup for EU customers; downloadable on request from any account.
  • Right to access: GET /api/v1/account/export returns a JSON dump of every record tied to your account.
  • Right to erasure: DELETE /account in the dashboard cascade-deletes everything immediately, with a 7-day soft-delete window for accidental clicks.
  • We are the data controller for account data; the data processor for monitor check results.

Reporting a vulnerability

Email security@monitorah.com with a clear write-up. We acknowledge within one business day. We do not currently run a paid bounty programme but credit reporters on the security acknowledgements page if they wish.

SOC 2 / ISO 27001 status

As a small independent startup, MonitorAH is not yet SOC 2 or ISO 27001 certified. Certification is on the roadmap once volume justifies the audit cost. In the meantime we publish the controls listed above and welcome customer-led security questionnaires.