Security

Your telemetry reveals how your infrastructure works. We guard it accordingly.

Infrastructure signals expose deployment cadence, service topology, and incident patterns — information that belongs only to your organization. Infrawatch is designed with the access controls, encryption, and audit posture that platform and security teams require before routing sensitive telemetry through a third-party system.

Encryption in transit

All data transmitted to Infrawatch is encrypted with TLS 1.2 minimum. OTLP ingest endpoints (gRPC port 4317, HTTP port 4318) support mutual TLS for collector authentication — required for Enterprise tier.

Encryption at rest

Telemetry data is encrypted at rest using AES-256. Encryption keys are managed via AWS KMS with per-tenant key isolation.

Access control

Role-based access control (RBAC) with viewer, operator, and admin roles. Enterprise tier adds SSO/SAML integration. All access changes are audit-logged.

Tenant isolation

All customer telemetry is isolated at both the storage and query layer. Separate data partitions per account, with no cross-tenant query paths architecturally possible. Your incident data is not used to train or improve correlation models for other tenants.

API key management

Ingest and API keys are scoped (read-only vs. write), rotatable, and revocable from the dashboard at any time. Keys are stored as salted hashes — never in plaintext.

Audit logging

Every configuration change, access event, and integration setup is logged with timestamp, user, and IP. Audit logs are exportable and retained per your plan's data retention policy.

Data handling and residency

Infrawatch's infrastructure runs on AWS in us-east-1 (N. Virginia). All customer data is stored and processed within that region. We do not transfer customer telemetry data outside the US.

What data we store

Infrawatch ingests and stores: metric samples, Kubernetes event records, span summaries (not full trace payloads), and alert event records. We do not store raw log lines.

Retention

Starter: 30 days. Platform: 90 days. Enterprise: configurable. Data is hard-deleted at retention expiry — not archived.

Subprocessors

Our current infrastructure subprocessors include Amazon Web Services (compute, storage) and Stripe (payment processing). We maintain an up-to-date subprocessor list available on request.

Security disclosures

To report a security vulnerability, email [email protected]. We acknowledge disclosures within 24 hours and target remediation within 72 hours for critical issues.

Questions?

Security review requests welcome

We provide a completed security questionnaire and will join a call with your security or infosec team. Most enterprise reviews complete within 5 business days.