[ 4.9 (70) ](https://www.capterra.com/p/190028/Oh-Dear/ "Oh Dear on Capterra") [ 4.7 (31) ](https://www.g2.com/products/oh-dear/reviews "Oh Dear on G2") # Security You're trusting us with your monitoring data. We don't take that lightly. This page explains exactly how we protect it, who has access, and why we think a small, focused team is actually an advantage when it comes to security. ## Who's Behind Your Data Oh Dear is built and maintained by two people you can actually look up: - **Freek Van der Herten** ([freek.dev](https://freek.dev), [@freekmurze](https://twitter.com/freekmurze)) - prolific open-source developer with millions of package downloads - **Mattias Geniar** ([ma.ttias.be](https://ma.ttias.be), [@mattiasgeniar](https://twitter.com/mattiasgeniar)) - sysadmin and security background, 15+ years in infrastructure We've spent years building our reputations through open-source work, conference talks, and writing. Our public personas are directly tied to this product. If we mess up, everyone will know. That's a pretty strong incentive to get security right. ## Technical Security Here's how we actually protect your data: ### Encryption - **In transit:** All connections use TLS 1.2 or higher. No exceptions. - **At rest:** We don't currently encrypt data at rest. Your monitoring data (URLs, response times, check results) isn't particularly sensitive, but we're evaluating this for future implementation. ### Infrastructure We rely on providers with proper certifications: - **Primary hosting:** [Combell](https://www.combell.com) (Belgium) - ISO 9001, ISO 27001, ISO 27701 certified - **Performance metrics:** [ClickHouse Cloud](https://clickhouse.com/cloud) - SOC 2 Type II, ISO 27001 - **CDN & Protection:** [Cloudflare](https://www.cloudflare.com) - SOC 2 Type II, ISO 27001 - **Monitoring nodes:** AWS, DigitalOcean, Vultr - all SOC 2 certified ### Access Controls - Multi-factor authentication required for all production access - Principle of least privilege - we only grant access that's actually needed - Background checks completed for all team members - SSH key-based authentication only, no password access to servers ### Development Practices - Automated dependency scanning via Dependabot - Static analysis with PHPStan on every commit - Code review required for all changes to production - Separate staging environment for testing ## Backups & Recovery We take backups seriously. Here's our retention schedule: - **Daily backups:** Retained for 7 days - **Weekly backups:** Retained for 4 weeks - **Monthly backups:** Retained for 12 months - **Yearly backups:** Retained for up to 2 years Backups are stored separately from production infrastructure. We test restores regularly. ## Why No SOC 2 (Yet)? We don't have SOC 2 or ISO 27001 certifications. Here's why: SOC 2 audits cost $50,000+ and require significant ongoing overhead. For a three-person team, that's a meaningful investment that would directly impact what we can build for you. We'd rather spend that time and money on making the product better. But here's the thing: a small team isn't a security weakness. It's actually an advantage. - **Smaller attack surface:** Fewer people means fewer credentials to compromise - **Complete visibility:** We know exactly who has access to what - **No organizational complexity:** No departments, no access reviews that slip through the cracks - **Personal accountability:** When something goes wrong, we can't hide behind process We've never had a reportable security breach. That's not because we're lucky - it's because we're careful, and because there are only three of us to keep track of. ## For Security & Compliance Teams We understand you might need more than this page for your vendor assessment. Here's what we can offer: - **Security questionnaires:** We'll fill these out on a case-by-case basis. Just send them to - **Data Processing Agreement:** [View our DPA](https://ohdear.app/data-processing-agreement) - **Subprocessors list:** [View our subprocessors](https://ohdear.app/subprocessors) - **Service status:** [status.ohdear.app](https://status.ohdear.app) If you have specific compliance requirements or questions we haven't addressed here, email us directly. We're happy to get on a call if that helps. ## Vulnerability Disclosure Found a security issue? We want to hear about it. - **Email:** - **Response time:** We commit to responding within 24 hours - **Safe harbor:** We won't pursue legal action against security researchers acting in good faith Please give us reasonable time to fix issues before disclosing them publicly. We'll keep you updated on our progress. ## Legal Documentation For the formal details on how we handle your data: ### Privacy Policy How we collect, use, and protect your personal data [ Read Policy ](https://ohdear.app/privacy) ### Terms & Conditions The terms governing your use of Oh Dear [ Read Terms ](https://ohdear.app/terms) ### Data Processing Agreement GDPR-compliant DPA with EU Standard Contractual Clauses [ Read DPA ](https://ohdear.app/data-processing-agreement) ### Subprocessors Complete list of third-party processors and their certifications [ View List ](https://ohdear.app/subprocessors) ## Contact Us Questions about security? We're happy to talk. - **Security issues:** - **Privacy questions:** - **General inquiries:** - **Contact form:** [ohdear.app/contact](https://ohdear.app/contact)