Keeping customer data safe and secure is a huge responsibility and a top priority for Instatus. We work hard to protect our customers from the latest threats. We store all our own sensitive information on the same servers our customers do. We don’t want our information compromised, so we’re motivated by self-preservation as well. Aligning our goals with your goals is the best way to see eye-to-eye on the need to keep everything as secure as we can.
All our employees and contractors (workers) sign confidentiality agreements before gaining access to our code and data. Background checks aren’t performed on our workers. Everybody at Instatus is trained and made aware of security concerns and best practices for their systems. Remote access to servers is via our VPN using two factor authentication, and limited to workers who need access for their day to day work. We log all access to all accounts by IP address.
• We run a bounty program in and welcome reports from security researchers. More details are available here: instatus.com/bug-bounty. • Maintain and support our automated test suite for development machines • Review all changes to the code and infrastructure to ensure they follow best practices and security guidelines (such as OWASP) • Monitor and alert on anomalous activity • Coordinate vulnerability testing with external security researchers
Instatus has not completed an SOC audit, but we're working on submitting a self assessment for PCI compliance. We have an internally built system that monitors and automatically blocks suspicious activity (including vulnerability scanning, failed logins, and a host of other suspicious activity). We also have alerts in place for excessive resource use that escalates for manual investigation. Our product run on a dedicated network secured with firewalls and carefully monitored.
Our primary data centers are in the United States on Amazon AWS. All data is backed up daily, and stored in multiple locations. Our software infrastructure is updated regularly with the latest security patches.
Over public networks we send data using strong encryption. We use SSL certificates issued by Let's encrypt. You can check our currently supported ciphers here: https://www.ssllabs.com/ssltest/analyze.html?d=instatus.com&latest
Our application databases are not encrypted at rest — the information you add to the applications is active in our databases and subject to the same protection and monitoring as the rest of our systems. All passwords are hashed and salted using BCrypt. Our backups of your data are encrypted using GPG.
Instatus won’t hand your data over to law enforcement unless a court order says we have to. We flatout reject requests from local and federal law enforcement when they seek data without a court order. And unless we’re legally prevented from it, we’ll always inform you when we receive such requests.
All your content will be inaccessible immediately upon deletion. Within 30 days, all content will be permanently deleted from all servers and logs. This information can not be recovered once it has been permanently deleted. We also keep backups stored off-site for a maximum of 30 additional days. Therefore, after a cancellation, all data will be permanently deleted from backups within 60 days
We practice regular recovery drills. We perform daily backups of all databases. Our backups are tested on a regular basis and are stored off-site for a maximum of 30 days. We have procedures for responding to incidents. In the event of an incident, we would communicate it with customers via our status page, and work with you throughout.
Send urgent or sensitive reports directly to firstname.lastname@example.org. We’ll get back to you as soon as we can, usually within 24 hours.
Please follow up or ping us on Twitter @instatus if you don’t hear back.
We work with security researchers to keep up with the state-of-the-art in web security. Have you discovered a web security flaw that might impact our product? Please submit a report at instatus.com/bug-bounty.
If you submit a report, here’s what will happen:
Security isn’t just about technology, it’s about trust.
We'll work hard every day to build and maintain it with you Longevity and stability is core to our mission at Instatus. Want to know more?
Submit a email@example.com if you have other security questions. We’ll get back to you as quickly as we can