How does Oh Dear protect my data?

Oh Dear protects your data with TLS 1.2+ encryption for all connections, hosting on ISO 27001 certified infrastructure in Belgium (Combell), multi-factor authentication for all production access, and strict principle of least privilege access controls.

Does Oh Dear have SOC 2 certification?

Oh Dear does not currently have SOC 2 certification. However, our infrastructure providers (Combell, ClickHouse Cloud, Cloudflare, AWS, DigitalOcean, Vultr) are all SOC 2 and/or ISO 27001 certified. We believe our small team structure actually provides security advantages through reduced attack surface and complete visibility into access.

Where is Oh Dear data stored?

Primary data is stored in Belgium with Combell, an ISO 9001, ISO 27001, and ISO 27701 certified hosting provider. Performance metrics are stored in ClickHouse Cloud (SOC 2 Type II, ISO 27001). All data in transit uses TLS 1.2 or higher encryption.

How do I report a security vulnerability to Oh Dear?

Report security vulnerabilities to security@ohdear.app. We commit to responding within 24 hours and provide safe harbor for security researchers acting in good faith. Please allow reasonable time for fixes before public disclosure.

What is Oh Dear's backup policy?

Oh Dear maintains daily backups retained for 7 days, weekly backups retained for 4 weeks, monthly backups retained for 12 months, and yearly backups retained for up to 2 years. Backups are stored separately from production infrastructure and tested regularly.

4.9 (70)

4.7 (31)

Security

You're trusting us with your monitoring data. We don't take that lightly. This page explains exactly how we protect it, who has access, and why we think a small, focused team is actually an advantage when it comes to security.

Who's Behind Your Data

Oh Dear is built and maintained by two people you can actually look up:

Freek Van der Herten (freek.dev, @freekmurze) - prolific open-source developer with millions of package downloads
Mattias Geniar (ma.ttias.be, @mattiasgeniar) - sysadmin and security background, 15+ years in infrastructure

We've spent years building our reputations through open-source work, conference talks, and writing. Our public personas are directly tied to this product. If we mess up, everyone will know. That's a pretty strong incentive to get security right.

Technical Security

Here's how we actually protect your data:

Encryption

In transit: All connections use TLS 1.2 or higher. No exceptions.
At rest: We don't currently encrypt data at rest. Your monitoring data (URLs, response times, check results) isn't particularly sensitive, but we're evaluating this for future implementation.

Infrastructure

We rely on providers with proper certifications:

Primary hosting: Combell (Belgium) - ISO 9001, ISO 27001, ISO 27701 certified
Performance metrics: ClickHouse Cloud - SOC 2 Type II, ISO 27001
CDN & Protection: Cloudflare - SOC 2 Type II, ISO 27001
Monitoring nodes: AWS, DigitalOcean, Vultr - all SOC 2 certified

Access Controls

Multi-factor authentication required for all production access
Principle of least privilege - we only grant access that's actually needed
Background checks completed for all team members
SSH key-based authentication only, no password access to servers

Development Practices

Automated dependency scanning via Dependabot
Static analysis with PHPStan on every commit
Code review required for all changes to production
Separate staging environment for testing

Backups & Recovery

We take backups seriously. Here's our retention schedule:

Daily backups: Retained for 7 days
Weekly backups: Retained for 4 weeks
Monthly backups: Retained for 12 months
Yearly backups: Retained for up to 2 years

Backups are stored separately from production infrastructure. We test restores regularly.

Why No SOC 2 (Yet)?

We don't have SOC 2 or ISO 27001 certifications. Here's why:

SOC 2 audits cost $50,000+ and require significant ongoing overhead. For a three-person team, that's a meaningful investment that would directly impact what we can build for you. We'd rather spend that time and money on making the product better.

But here's the thing: a small team isn't a security weakness. It's actually an advantage.

Smaller attack surface: Fewer people means fewer credentials to compromise
Complete visibility: We know exactly who has access to what
No organizational complexity: No departments, no access reviews that slip through the cracks
Personal accountability: When something goes wrong, we can't hide behind process

We've never had a reportable security breach. That's not because we're lucky - it's because we're careful, and because there are only three of us to keep track of.

For Security & Compliance Teams

We understand you might need more than this page for your vendor assessment. Here's what we can offer:

Security questionnaires: We'll fill these out on a case-by-case basis. Just send them to [email protected]
Data Processing Agreement: View our DPA
Subprocessors list: View our subprocessors
Service status: status.ohdear.app

If you have specific compliance requirements or questions we haven't addressed here, email us directly. We're happy to get on a call if that helps.

Vulnerability Disclosure

Found a security issue? We want to hear about it.

Email: [email protected]
Response time: We commit to responding within 24 hours
Safe harbor: We won't pursue legal action against security researchers acting in good faith

Please give us reasonable time to fix issues before disclosing them publicly. We'll keep you updated on our progress.