Security
How we protect your data and keep things running.
Last updated: February 2026
Overview
StatusPage.me is a small, independent, privacy-focused company. We store your data on the same infrastructure we rely on ourselves - that alignment keeps us honest. This page describes the concrete technical measures we use. No marketing fluff, no badges we haven't earned.
Authentication & Access
| Password hashing | Argon2id - the current recommended algorithm (stronger than bcrypt/scrypt) |
| Breached password detection | Passwords are checked against the HaveIBeenPwned database using k-anonymity (your password never leaves our servers) |
| Two-factor authentication | TOTP (authenticator app) and WebAuthn / hardware security keys |
| Role-based access control | Team roles: Owner, Admin, Editor, Viewer - with per-status-page access scoping |
| Session management | Forced session invalidation on password change, secure & HttpOnly cookies in production |
| OAuth sign-in | Google and GitHub with state validation |
| API keys | Scoped permissions, prefix-only storage (full key never stored), revocation support, last-used tracking |
| Security alerts | Email notifications on password changes, 2FA changes, and other account-sensitive actions |
Encryption
| In transit | TLS everywhere with HSTS enforced. Automatic HTTPS for all domains including customer custom domains via Let's Encrypt. |
| Sensitive data at rest | OAuth tokens and integration secrets encrypted with AES-256-GCM |
| Passwords | Irreversibly hashed with Argon2id (never stored in plaintext or reversible form) |
| IP addresses | Hashed with SHA-256 before storage - raw IPs are not kept in the application database |
Infrastructure
| Architecture | 5 isolated service components (website, status pages, user dashboard, admin, scheduler) running as separate processes |
| Health monitoring | Per-component health checks with automatic routing - unhealthy components are removed from load balancing |
| Deployment safety | Automated pre-deploy backups, 2-minute post-deploy health monitoring, automatic rollback on failure detection |
| Security headers | HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, X-XSS-Protection |
| Network protection | Network-level DDoS mitigation provided by our hosting provider, with edge TLS termination and request handling via Caddy |
| Dependency scanning | Automated vulnerability scanning via GitHub Dependabot with alerts and pull requests |
Application Security
| SQL injection | All database queries use parameterized statements - no string concatenation of user input into SQL |
| XSS prevention | Server-side template auto-escaping, Content Security Policy headers |
| CSRF protection | Cryptographic CSRF tokens on all state-changing requests (forms and API calls) |
| SSRF protection | Server-side URL fetching blocks all private/internal IP ranges (RFC 1918, loopback, link-local, IPv6 ULA) |
| Rate limiting | Authentication endpoints, API calls, and public tools are rate-limited per IP |
| Request timeouts | Global 30-second timeout to prevent resource exhaustion |
Data Protection & Privacy
| Data deletion | Automated GDPR-compliant deletion - all user data permanently purged 60 days after account closure, audit logs after 90 days |
| Account closure | Self-service account deletion with immediate soft-delete and scheduled hard purge |
| Subscriber management | Double opt-in confirmation, one-click unsubscribe, bulk export and deletion |
| Audit logging | All administrative actions, authentication events, impersonation sessions, and data changes are logged with timestamps and actor context |
| Error log sanitization | Authorization and Cookie headers are automatically redacted from error logs |
Backups & Recovery
| Database backups | Automated daily backups with weekly and monthly rotation. Backups include full database state and global objects (roles, permissions). |
| Application backups | Timestamped binary backups on every deployment with 5-version retention |
| Recovery targets | RPO: 24 hours (daily backup interval). RTO: ~30 minutes (restore + restart). |
| Restore testing | Periodic restore-to-temporary-database verification to ensure backup integrity |
Uptime & SLA
We target 99.9% monthly uptime for the StatusPage.me platform. Our own status page is public - you can verify our track record anytime:
We use multi-region uptime monitoring with quorum-based alerting to minimize false positives. Automated deployment rollbacks help us recover from bad releases within minutes, not hours.
What we don't have (yet)
Transparency matters. Here's what we're working toward but haven't completed:
| SOC 2 certification | We follow SOC 2-aligned security practices but have not completed a formal audit. We're happy to answer specific questions from your compliance team. |
| SSO (SAML/OIDC) | Not yet available. We support OAuth (Google, GitHub) and plan to add SAML for enterprise accounts. |
| Full database encryption at rest | Sensitive fields (tokens, secrets) are encrypted at rest with AES-256-GCM. Full-disk encryption for the database volume is on our roadmap. |
| Multi-region redundancy | Our monitoring agents run in multiple regions, but the core platform runs on dedicated infrastructure in a single region. Multi-region failover is planned. |
FAQ
Do you have SOC 2 certification?
Not yet. We follow SOC 2-aligned security practices, but we have not completed a formal audit. If your compliance team has a questionnaire, send it over and weβll answer directly.
Is data encrypted at rest?
Sensitive fields such as OAuth tokens and integration secrets are encrypted at rest using AES-256-GCM. Passwords are irreversibly hashed with Argon2id. Full-disk/database-volume encryption is on our roadmap.
Is traffic encrypted in transit?
Yes. TLS is enforced everywhere with HSTS, including for custom domains via Let's Encrypt.
Do you support SSO (SAML/OIDC)?
Not yet. We support OAuth (Google/GitHub) and offer TOTP and WebAuthn / security keys. SSO support is planned for enterprise accounts.
How do backups and recovery work?
We run automated daily database backups with weekly/monthly rotation, plus timestamped binary backups on every deployment. Current recovery targets are roughly RPO 24 hours and RTO about 30 minutes, with periodic restore verification.
How do you protect against common web attacks?
We use CSRF protection, SSRF protections blocking private network ranges, parameterized SQL queries, server-side template escaping plus CSP headers, and rate limiting on sensitive endpoints.
How can I report a vulnerability?
Email security@statuspage.me with details and repro steps. We take reports seriously and will respond as quickly as we can.
Where can I view your uptime and incidents?
Our status page is public at status.statuspage.me.
Report a vulnerability
If you discover a security vulnerability, please report it responsibly. We take every report seriously and will respond as quickly as we can.