Security Whitepaper

Introduction

Keeping customer data safe and secure is a huge responsibility and a top priority for Instatus. We work hard to protect our customers from the latest threats. We store all our own sensitive information on the same servers our customers do. We don’t want our information compromised, so we’re motivated by self-preservation as well. Aligning our goals with your goals is the best way to see eye-to-eye on the need to keep everything as secure as we can.

Access control and organizational security

Personnel

All our employees and contractors (workers) sign confidentiality agreements before gaining access to our code and data. Background checks aren’t performed on our workers. Everybody at Instatus is trained and made aware of security concerns and best practices for their systems. Remote access to servers is via our VPN using two factor authentication, and limited to workers who need access for their day to day work. We log all access to all accounts by IP address.

Penetration Testing

• We run a bounty program in and welcome reports from security researchers. More details are available here: instatus.com/bug-bounty. • Maintain and support our automated test suite for development machines • Review all changes to the code and infrastructure to ensure they follow best practices and security guidelines (such as OWASP) • Monitor and alert on anomalous activity • Coordinate vulnerability testing with external security researchers

Audits, Security Policies and Standards

Instatus has not completed an SOC audit, but we're working on submitting a self assessment for PCI compliance. We have an internally built system that monitors and automatically blocks suspicious activity (including vulnerability scanning, failed logins, and a host of other suspicious activity). We also have alerts in place for excessive resource use that escalates for manual investigation. Our product run on a dedicated network secured with firewalls and carefully monitored.

Data protection and privacy

Our overall privacy policy is available at instatus.com/policies. Some highlights:

Data Location

Our primary data centers are in the United States on Amazon AWS. All data is backed up daily, and stored in multiple locations. Our software infrastructure is updated regularly with the latest security patches.

Encryption in transit and at rest

Over public networks we send data using strong encryption. We use SSL certificates issued by Let's encrypt. You can check our currently supported ciphers here: https://www.ssllabs.com/ssltest/analyze.html?d=instatus.com&latest

Our application databases are not encrypted at rest — the information you add to the applications is active in our databases and subject to the same protection and monitoring as the rest of our systems. All passwords are hashed and salted using BCrypt. Our backups of your data are encrypted using GPG.

Law enforcement

Instatus won’t hand your data over to law enforcement unless a court order says we have to. We flatout reject requests from local and federal law enforcement when they seek data without a court order. And unless we’re legally prevented from it, we’ll always inform you when we receive such requests.

Data deletion

All your content will be inaccessible immediately upon deletion. Within 30 days, all content will be permanently deleted from all servers and logs. This information can not be recovered once it has been permanently deleted. We also keep backups stored off-site for a maximum of 30 additional days. Therefore, after a cancellation, all data will be permanently deleted from backups within 60 days

Incident management and disaster recovery

We practice regular recovery drills. We perform daily backups of all databases. Our backups are tested on a regular basis and are stored off-site for a maximum of 30 days. We have procedures for responding to incidents. In the event of an incident, we would communicate it with customers via our status page, and work with you throughout.

Reporting security problems

Send urgent or sensitive reports directly to security@instatus.com. We’ll get back to you as soon as we can, usually within 24 hours.

Please follow up or ping us on Twitter @instatus if you don’t hear back.

Tracking and disclosing security issues

We work with security researchers to keep up with the state-of-the-art in web security. Have you discovered a web security flaw that might impact our product? Please submit a report at instatus.com/bug-bounty.

If you submit a report, here’s what will happen:

  • We’ll acknowledge your report & tell you the best way to track the status of your issue.
  • We’ll investigate the issue and determine how it impacts our products. We won’t disclose issues until our investigation is finished, but we’ll work with you to ensure we fully understand the issue.
  • Once the issue is resolved, we’ll post a security update along with thanks and credit for the discovery.

Conclusion

Security isn’t just about technology, it’s about trust.

We'll work hard every day to build and maintain it with you Longevity and stability is core to our mission at Instatus. Want to know more?

Submit a security@instatus.com if you have other security questions. We’ll get back to you as quickly as we can

Start here
Create your status page or login

Learn more
Check help and pricing

Talk to a human
Chat with us or send an email

Statuspage vs Instatus
Compare or Switch!

Updates
Changesblog and open stats

Community
Twitter, now and affiliates

Policies·© Instatus, Inc