FAQ — Security, Privacy and Compliance
Security
Being a Software as a Service, Checkly operates as an external agent from the public internet with no need for installation within or privileged access to the user’s network.
Checkly can run two types of monitoring checks:
- API checks, which consist of one or more HTTP requests to a user-defined API endpoint
- Browser checks, which run a series of user-defined interactions on a web page through a headless browser.
Data such as response logs, timings, screenshots, and other similar artifacts are then processed and displayed on Checkly.
In short, Checkly:
- Simulates browser click flows and API requests like a real end-user or connected services.
- Has no access to the monitored application’s source code.
- Only mock or test data should be used to run the tests.
Security Response
We operate a white hat program that encourages developers to investigate and collaborate with Checkly on security vulnerabilities. Please find more here: https://www.checklyhq.com/security-response/.
Yes, Checkly is fully compliant with GDPR.
Yes, Checkly is SOC 2, Type 2 compliant showing we cover security, availability, confidentiality, privacy, and processing integrity. As we continue to innovate new features and capabilities for users, Checkly is committed to ensuring and protecting the privacy of our clients and their data.
Our authentication provider Auth0 is SOC 2 Type 2, ISO 27001, and 27018 certified. Our infrastructure providers Heroku and AWS maintain numerous certifications, including PCI, HIPAA, ISO, and SOC compliance.
Yes, Checkly operates a security response program that encourages developers to investigate and collaborate with Checkly on security vulnerabilities. Please find more here: https://www.checklyhq.com/security-response/.
Checkly uses Cloudflare to protect its network infrastructure against volumetric attacks, in addition to a dedicated DDoS mitigation service. Also, to protect the platform, Checkly’s system imposes rate limits on APIs and database calls.
Our infrastructure uses the provider’s firewalls and threat detection. Additionally, our providers have state of the art malware protection systems in place.
Brute-force protection, which safeguards against brute-force attacks from a single IP Address and targets a single user account, is enabled by default for all connections. Please find more details here: auth0.com/docs/attack-protection/brute-force-protection.
Check data: Users can create and edit JavaScript-based scripts that can run automatically to perform a check on an API / UI. Environment variables holding secrets are encrypted and obfuscated.
- Check result data: Screenshots, HTTP response data, and execution logs.
- System logs: Standard logging of Checkly’s Front- and Backend.
- User Credentials are not held by Checkly but with our authentication provider Auth0.
- Account data: Checkly processes the user name, email address, and account name.
- Credit card and billing information are stored by our payment provider Stripe and on Checkly.
We are encrypting stored data End-to-End. We use HTTPS for all network traffic, encrypt our queueing traffic and use state of the art AES256 encryption for data-at-rest in our database.
Checkly logs account and user activity only to the extent needed to provide the service, for example, for billing and support purposes. The logged activity includes API access, overall check creation/execution, and similar activities. Detailed log data is purged after one month. Additionally:
- Customer accounts are deleted upon request.
- Check result data is rolled up after 1 month if not otherwise agreed with the customer, keeping only metadata.
- Log data is spread over two main systems: AWS and Grafana Cloud. AWS data is retained for a maximum of 1 month after which it is purged. This includes logs generated by users. For Grafana Cloud — which contains application-level logs — is searchable for 1 month, and retained for 1 year.
Yes, we can erase all account data on request.
- Data is continuously backed up and available for recovery up to 4 days ago.
- Our core system software can be restored and deployed from our codebase in case of catastrophic failure with minimal “human involvement”.
- Other check result data is stored redundantly on S3 and removed after 30 days.
- The above measures allow Checkly to fall back in the us-east-1 AWS region.
Customer data is logically split in the database per account.
- Our infrastructure is mostly serverless or cloud-based with generous scaling characteristics. All our core processing, storage, and queueing infrastructure can scale automatically when needed.
- Our web application and website are 100% static, using no servers or load balancers outside of a 3rd party CDN serving the static assets.
- Software control and updates are carried out daily using Dependabot; this way, we track vulnerabilities and critical updates to our production code.
Amazon Web Services (AWS), Heroku, and Vercel.
All data is stored in the European Union, AWS eu-west-1 (Ireland). Only check result data may be stored at the region the user executed the check.
We use RBAC, and all IAM controls available to us on the AWS infrastructure. Only qualified personnel has access to production infra. Checkly employees don’t have physical access to the data centers.
All backups are AES256 encrypted in an AWS S3 bucket.
Multi-factor authentication or Two-factor auth is by default on for all access to production infrastructure.
The infrastructure provider tracks access to core infrastructure. Any key changes to our codebase and infrastructure follow a code review process to enforce the four-eyes principle.
By default, the user authenticates via user name and password. We support single sign-on via social logins (Google, Github). SAML 2.0 and integrations like Microsoft AD are available for Enterprise users.