Users & Security
Security
Security is fundamental to everything we build at Cronitor. As a monitoring platform trusted by thousands of teams, we understand that our security is your security. Here's how we protect your data and ensure our platform remains reliable.
Encryption
All data transmitted to our data centers is encrypted using strong, modern TLS (Transport Layer Security) protocols. This ensures that your data remains secure while in transit across the internet.
Data in Transit: We enforce TLS 1.2 or higher for all connections to our platform, including API requests, web dashboard access, and webhook deliveries. All monitoring data sent to Cronitor is encrypted before it leaves your infrastructure.
Data at Rest: Customer data stored in our databases is encrypted using industry-standard AES-256 encryption. This includes your monitoring configurations, alert history, and any logs or metrics collected by our platform.
Backups: All database backups are encrypted using the same strong encryption standards, ensuring your data remains protected even in backup storage.
Data Location
We securely store all customer data within Amazon Web Services (AWS) data centers located in the United States and the European Union. These facilities maintain:
Primary Regions: Our production infrastructure operates primarily in AWS US-West (Oregon) and EU-West (Ireland) regions, ensuring low latency and compliance with regional data protection requirements.
Infrastructure Standards: AWS data centers maintain SOC 1/2/3 Type II compliance, ISO 27001 certification, and PCI DSS Level 1 compliance. These facilities feature 24/7 physical security, biometric access controls, and environmental monitoring.
No Third-Party Countries: Your data never transits through or is stored in countries outside the US and EU, ensuring clear jurisdiction and legal protections.
Threat Detection
Our security infrastructure includes multiple layers of protection:
Vulnerability Scanning: We conduct automated security scans across our entire infrastructure using industry-leading tools. These scans run continuously to identify potential vulnerabilities in our code, dependencies, and infrastructure before they can be exploited.
Threat Detection Systems: Our security operations center monitors all network traffic and system activity in real-time using advanced threat detection algorithms. Any suspicious patterns or unauthorized access attempts trigger immediate alerts and automated response protocols.
Bot Protection: Multi-layered defenses protect our platform from automated attacks, including rate limiting, behavioral analysis, and advanced bot detection. This ensures legitimate monitoring traffic flows smoothly while blocking malicious automation.
Audit Logging: All access to our production infrastructure is comprehensively logged with detailed timestamps, user identification, and IP addresses. Our application also maintains extensive logging throughout the platform. These audit trails are retained securely and monitored for unusual patterns or potential security incidents.
Cloud Monitoring: We continuously monitor our AWS infrastructure using both native AWS security tools and third-party solutions. This includes tracking configuration changes, access patterns, and resource utilization to detect potential security issues before they impact our service.
Application Security
Our web application is designed and regularly tested with the OWASP Top 10 security risks in mind, protecting against the most common attack vectors including:
Injection Prevention: All user inputs are validated and sanitized using secure coding practices to prevent SQL, NoSQL, OS, and LDAP injection attacks.
Authentication & Session Management: We implement secure authentication mechanisms with proper session handling and monitoring of authentication attempts.
Cross-Site Scripting (XSS) Protection: Our application uses Content Security Policy headers and input validation to prevent XSS attacks, with proper sanitization of all user-generated content.
Cross-Site Request Forgery (CSRF) Protection: State-changing requests require valid CSRF tokens to prevent unauthorized actions on behalf of authenticated users.
Security Testing: We conduct regular security audits and penetration testing to identify and remediate potential vulnerabilities.
Developer Security
We maintain strict security standards for our development team:
Two-Factor Authentication (2FA): Required on all accounts with infrastructure access, including cloud providers, code repositories, and deployment systems.
Device Security: All team equipment uses full disk encryption and meets our security baseline requirements.
Access Controls: We implement least privilege access that is regularly reviewed and automatically revoked when no longer needed.
Data Governance
We strongly believe that your data belongs to you.
We maintain strict data governance practices and respect your ownership of all data you provide to our platform. Your monitoring data, configurations, and account information belong to you and are never shared with third parties without your explicit consent.
Please review our Privacy Policy for complete details on data storage, processing, and your rights regarding your information.
InfoSec Policies
Our comprehensive Information Security policies document the formal procedures and standards that govern our security operations. These policies cover our vulnerability management processes, incident and breach response protocols, new employee security training requirements, and disaster recovery procedures.
These documents provide detailed insight into how we maintain security across our organization and ensure consistent security practices as we grow.