Security

You're trusting us with logs, alerts, and incident data — often from your most sensitive systems. Here's plainly how we protect it. This describes our hosted service; if you need full control, the same platform is self-hostable on your own infrastructure.

Encryption

• In transit: TLS on every endpoint — the marketing site, dashboard, and ingest/API.
• At rest: alert-channel secrets, integration tokens, and other credentials are encrypted with AES-256 before storage, with support for key rotation.
• We never store your payment-card numbers — card data is handled by our payment provider.

Tenant isolation & access control

• Every request is scoped to your organization, derived from your authenticated session or token — never from client-supplied input — so one tenant can't reach another's data.
• Role-based access (owner / admin / member) gates privileged actions.
• MFA (TOTP) is available and can gate login.
• Least-privilege API tokens: scoped to specific resources/actions, with per-token daily mutation and log-volume caps to bound the blast radius of a leaked token. Every token-attributed action is recorded.

Data handling

• Redaction: a redaction engine strips common secret patterns (bearer/JWT, cloud keys, API keys) at ingest, and you can add your own org-level rules; the AI analyst only ever sees redacted inputs.
• SSRF protection: user-supplied URLs (webhooks, monitors) are checked to block requests to private, loopback, and cloud-metadata addresses.
• Audit log: every mutating action records the actor, token, agent/conversation attribution, IP, and target — exportable.
• Bot protection on account-creation endpoints; email verification on signup.

Retention & deletion

You can export your data via the API at any time. When you delete your organization, we cancel any active subscription and irreversibly purge your data from production within 30 days and from backups within 90 days. See the Privacy Policy for details.

Availability & resilience

Continuous backups, health checks, and an external dead-man's-switch watchdog guard the platform. See our availability commitment and live status page.

Responsible disclosure

Found a vulnerability? We want to hear from you. Email security@24observe.com (see /.well-known/security.txt). Please give us a reasonable window to remediate before public disclosure; we won't pursue good-faith research that respects user privacy and avoids service disruption.

Honest scope

We're a focused team, not a mega-vendor: we don't yet hold a formal SOC 2 / ISO 27001 certification. We apply the controls above and are happy to walk security teams through our setup — and if your compliance needs require data never leaving your boundary, self-host the identical platform. Questions: security@24observe.com.