Opbeat is joining forces with Elastic – Read our blog post

Security

This page contains brief overview of our security practices and infrastructure. Let us know if you have any further questions about this area – we would be happy to elaborate.

Report vulnerability

Security policy

Our success and the success of our customers depends on security. We want our customers to focus on building great apps and experiences, and be confident in the security of the tools we provide. We strive to always follow the industry standards and best practices, and to be proactive about security on our infrastructure.

Infrastructure

Opbeat’s physical infrastructure is hosted and managed within Amazon’s secure data centers and utilize the Amazon Web Service (AWS) technology. Amazon’s data center operations have been accredited under:

You can find their compliance documentation here.

All credit card processing is done by Stripe. Their service meets the highest level of PCI compliance (Level 1). See more on their Security page.

Authentication with Opbeat is handled using OAuth and GitHub user profiles. We do not get access to or store passwords in our databases.

Development and operations

We enforce secure connections over HTTPS (SSL/TLS) to and from our infrastructure, including websites and APIs, to ensure that your data remains encrypted in transit. This means your data is encrypted with 256-bit AES encryption and not leaked to the network. SSL Labs gives us an "A" rating in their test.

Our operations teams prepare and follow incident response plans for both operational and security events.

We employ intrusion detection and logging on the infrastructure to prevent and expose unauthorized access attempts.

We sanitise and validate inputs to prevent XSS/injection attacks. We also send unique tokens along with website requests to protect against Cross-Site Request Forgery attacks.

Our engineers peer-review the code for security issues before it is deployed into production. They follow the OWASP best practices and security guidelines.

We isolate our processes into various environments like development, staging and production.

Data security and backups

Customer data is stored in databases that only allow a select subset of employees access and is encrypted at rest.

Opbeat staff does not access or interact with customer data or applications as part of normal operations. There may be cases where Opbeat is requested to interact with customer data at the request of the customer for support purposes or where required by law. Opbeat may also inspect customer data to debug and troubleshoot platform issues.

We have well-tested processes in place for backing up and restoring all of our and your data. All of the Opbeat databases are continuously replicated to running backup systems as well as to archive storage. Opbeat can failover to running backup systems or restore up to a point in time from the archive storage.

Availability and maintenance

We have extensive monitoring and alerting in place for the various components of our infrastructure. Our operations team maintains an on-call schedule and can be available to respond to critical incidents at a few moments notice.

We plan, schedule, and announce architecture maintenance and any potential downtime ahead of time. The timeline for maintenance projects is available on the status page. Individual projects will be updated in real-time as work progresses or is completed.

Network security

  1. Firewalls: Firewalls are utilized to restrict access to systems from external networks and between systems internally. By default all access is denied and only explicitly allowed ports and protocols are allowed based on business need. Each system is assigned to a firewall security group based on the system’s function. Security groups restrict access to only the ports and protocols required for a system’s specific function to mitigate risk.
  2. DDOS mitigation: We work closely with our providers to quickly respond to events and enable advanced DDoS mitigation controls when needed.
  3. Spoofing and sniffing protections: Managed firewalls prevent IP, MAC, and ARP spoofing on the network and between virtual hosts to ensure spoofing is not possible. Packet sniffing is prevented by infrastructure including the hypervisor which will not deliver traffic to an interface which it is not addressed to.

System Security

  1. System configuration: System configuration and consistency is maintained through standard, up-to-date images, configuration management software, and by replacing systems with updated deployments.
  2. System authentication: Operating system access is limited to Opbeat staff and requires username and key authentication. Operating systems do not allow password authentication to prevent password brute force attacks, theft, and sharing.
  3. Vulnerability management: Opbeat is notified of vulnerabilities through internal and external assessments, system patch monitoring, and third party mailing lists and services. Each vulnerability is reviewed to determine if it is applicable to Opbeat’s environment, ranked based on risk, and assigned to the appropriate team for resolution.

Disaster recovery

The Opbeat platform is designed for stability, scaling, and inherently mitigates common issues that lead to outages while maintaining recovery capabilities. Our platform maintains redundancy to prevent single points of failure. In case of an outage, standby and backup systems can take over operations. In case of catastrophic failure, systems will be restored from backups.