Security & Compliance

We monitor your infrastructure — so you need to trust us with information about it. Here is exactly how we protect your data.

TLS 1.2+
All traffic encrypted
AES-256
Data at rest
AWS SOC 2
Hosting provider
Least privilege
IAM roles

Authentication & Access

  • User authentication handled by a dedicated, SOC 2 Type II certified auth provider
  • All passwords hashed — never stored in plain text
  • JWT tokens with short expiry and secure refresh flow
  • Email verification required on account creation
  • Brute-force protection at the authentication layer

Data Encryption

  • All data encrypted in transit via TLS 1.2+ (HTTPS everywhere)
  • Data at rest encrypted via AES-256
  • Secrets stored in encrypted vaults — never in environment variables or source code
  • Managed encryption keys with automatic rotation
  • No sensitive data written to logs

Infrastructure Security

  • Hosted on infrastructure certified to SOC 2, ISO 27001, and PCI DSS Level 1 standards
  • All service components run with least-privilege access — no standing elevated permissions
  • JWT validation at the API gateway layer — unauthenticated requests never reach application code
  • All static assets served via private CDN — no publicly accessible storage buckets
  • Internal message queues encrypted at rest; messages not retained after processing

Monitoring & Observability

  • Automated alarms on service error rates and failed message counts
  • Failed processing captured in dead-letter channels for investigation and retry
  • Log retention policy: 30 days
  • Automated point-in-time recovery enabled on all persistent data stores
  • All infrastructure defined as code — auditable and reproducible deployments

Data we collect and why

Data typePurposeRetention
Email addressAccount authentication, alert deliveryUntil account deletion
Monitor URLs/IPsPerforming health checksUntil monitor deletion
Ping logsUptime history, response time analytics7–30 days (plan-dependent)
Incident recordsOutage history, recovery confirmation90 days
Alert channel configSending outage notificationsUntil removed by user
Access logsSecurity auditing, abuse prevention30 days

Responsible disclosure

If you discover a security vulnerability in UptimeWiz, please report it privately. We'll acknowledge your report within 24 hours and aim to resolve confirmed vulnerabilities within 72 hours.

security@uptimewiz.com

Have a security question? Contact us or read our Privacy Policy.