Your infra data stays yours.
We know you're trusting us with the most sensitive signals about your production environment. Here's exactly what we do with them — no marketing fluff, just the specifics.
Data in transit
All channels use TLS 1.3 — ingestion endpoints, dashboard, API, and webhook delivery. No plain HTTP connections accepted. Minimum cipher suite: TLS_AES_128_GCM_SHA256. HSTS enforced with a 1-year max-age on all web properties.
Data at rest
All telemetry data encrypted at rest using AES-256. Per-tenant namespace isolation: your data is stored in a namespace keyed to your account — no cross-tenant reads are possible at the infrastructure level. Encryption keys rotated quarterly.
Data residency
US West (Oregon) by default for all plans. US East (Virginia) available on Pro and Team plans — select at account setup. EU residency is on our roadmap for H1 2027. We do not transfer data to third parties outside your selected region.
Access control
SSO via Google and GitHub available on Team plan. All plans support email/password with bcrypt hashing. Audit log available on all paid plans — every API call, login, and remediation action is logged with timestamp and actor. Role-based access: Admin, Member, Read-only.
SOC 2 note: Devloom is built with SOC 2 Type II controls in mind. We are targeting a formal SOC 2 audit in H2 2026. We do not claim current SOC 2 certification. We do not handle HIPAA-regulated data.
Found a vulnerability?
We take security reports seriously and respond within 48 hours on business days. Please disclose responsibly — give us time to patch before publishing details. We don't pursue legal action against good-faith reporters.
Email: [email protected] with subject line Security Report — [brief description]. PGP key available on request. Acknowledgment within 48 hours; critical vulnerabilities targeted for a fix within 14 days. We'll coordinate disclosure timing with you.
Bug bounty: not yet active — we're a small team and a formal program takes infrastructure to run properly. When we launch one, we'll notify everyone who has submitted a report. In the meantime, we acknowledge contributions publicly (with your permission) in GitHub security advisories and in our changelog.
GitHub security advisories