Security

Last updated: April 2026

Security is foundational to Uptrue. As a monitoring platform, we understand that you trust us with information about your infrastructure. This page describes the measures we take to protect your data and our platform.

1. Infrastructure

• Hosting:Uptrue runs on Vercel's edge network with automatic scaling, DDoS protection, and global CDN.
• Database: All data is stored in Supabase (PostgreSQL) in the Frankfurt, Germany (EU) region with automated backups and point-in-time recovery.
• Uptime: We target 99.9% platform availability. See our SLA for details.

2. Encryption

• In transit: All communication uses HTTPS with TLS 1.2 minimum (TLS 1.3 preferred). HTTP is rejected at the edge.
• At rest: Database storage is encrypted at rest using AES-256. Backups are also encrypted.
• API keys: Customer API keys are hashed using bcrypt before storage. The plain-text key is displayed once at creation and never stored.
• Webhooks: All outbound webhook payloads are signed with HMAC-SHA256 so you can verify authenticity.

3. Authentication and Access Control

• Authentication is handled by Supabase Auth with support for magic links and Google OAuth.
• Admin access is restricted to Google OAuth with an email whitelist enforced in middleware.
• Rate limiting on login endpoints: 5 failed attempts trigger a 15-minute lockout.
• Sessions auto-expire after 24 hours of inactivity.
• Role-based access control separates Owner, Administrator, Member, and Viewer permissions.

4. Data Isolation

• Row Level Security (RLS): PostgreSQL RLS policies are enforced at the database level on every table. Users can only access data belonging to their organisation.
• All application queries are additionally scoped by organisation ID as a defence-in-depth measure.
• Admin impersonation is read-only and fully audit-logged.

5. Vulnerability Management

• npm audit runs in CI on every deployment. High-severity vulnerabilities block the build.
• Dependencies are reviewed for active maintenance and known CVEs before adoption.
• GitHub secret scanning prevents accidental commits of API keys and credentials.

6. Audit Logging

• All authentication events, admin actions, API key operations, and data access are logged to an immutable audit log.
• Audit logs include timestamp, user ID, action, resource, and IP address.
• Audit logs are retained for 1 year and cannot be modified or deleted.

7. Compliance

• GDPR: We comply with the General Data Protection Regulation. See our GDPR Compliance page.
• UK GDPR: We comply with the UK implementation of GDPR under the Data Protection Act 2018.
• DPA: A Data Processing Agreement is available for all customers. See our DPA.
• SOC 2: Targeted within 12 months of launch.

8. Responsible Disclosure

If you discover a security vulnerability in Uptrue, please report it responsibly by emailing security@uptrue.io. We will acknowledge receipt within 24 hours and provide an initial assessment within 5 business days.

Please do not disclose vulnerabilities publicly until we have had a reasonable opportunity to address them. We do not currently operate a formal bug bounty programme, but we recognise and appreciate responsible security researchers.

9. Contact

For security questions or to report an issue:

• Security: security@uptrue.io
• Privacy: privacy@uptrue.io