Our Security Posture

ZoneWatcher is not currently SOC 2 certified. However, we operate according to the same Trust Services Criteria — Security, Availability, Confidentiality, Processing Integrity, and Privacy — that underpin SOC 2. The controls described on this page map directly to those principles.

Every user password is stored using bcrypt — a one-way cryptographic hash with an industry-standard work factor — so even we cannot read your password after it is set. Password resets and initial setup are completed via email confirmation, and the account holder is notified by email whenever a password change occurs.

Two-Factor Authentication using TOTP is available to every user. Every user also receives an email when a new login or a failed login attempt occurs on their account, so unauthorized access attempts are visible in real time.

Sensitive credit card data never touches our servers; payment details are stored exclusively by our payment processor, Stripe, who is PCI-DSS Level 1 certified.

Our application runs on supported and actively patched versions of our programming language and framework. We operate a fully automated continuous integration and continuous deployment pipeline, which is the only path by which changes reach production.

Internal dependencies are checked daily by Dependabot to ensure feature and security updates are applied as soon as they are available. Every change flows through the pipeline above, where it must pass our extensive unit and integration test suite before deployment.

Every change to our codebase is made via pull request and reviewed before it can be merged. Our CI pipeline runs static analysis (Larastan), code-style enforcement (Pint), and our automated test suite on every commit.

We follow OWASP Top 10 awareness throughout development, and our framework's security features (CSRF protection, parameterized queries, output escaping, secure session handling) are enabled by default and verified in code review.

Our application is hosted primarily on Railway, with Amazon Web Services (AWS) used for supporting infrastructure such as transactional email. All infrastructure accounts are protected by strong passwords managed through a password manager and require two-factor authentication.

Servers require strong SSH keys for access. All unnecessary ports are closed (besides HTTP/HTTPS). Internal traffic runs on private networks between servers, firewalled at both the cloud-provider edge and on each server with an explicit allowlist of approved hosts.

Servers receive security updates automatically every night.

All traffic to our application is served over HTTPS using modern TLS protocols and cipher suites — we hold an A+ rating from SSL Labs. We also enforce strict HTTP security headers (HSTS, CSP, X-Content-Type-Options, Referrer-Policy, and others) to protect against common attacks such as session hijacking and script injection.

Cloudflare sits in front of our application as both a CDN and Web Application Firewall, helping to mitigate maliciously crafted requests, bots, and volumetric attacks.

Encryption in transit. All customer traffic and all internal service-to-service traffic that crosses provider boundaries is encrypted using TLS.

Encryption at rest. Our primary database, replicas, and backup storage are encrypted at rest using AES-256 via our cloud providers. DNS provider credentials — the most sensitive data we handle on your behalf — receive an additional layer of application-level AES-256 encryption with a key that has never been stored in our codebase. Those records are decrypted only in memory while our background workers use them for API calls.

Tenant isolation. ZoneWatcher is multi-tenant. Every database query is scoped to the requesting team at the application layer, and these scopes are enforced through framework-level guards that are exercised by our test suite.

Secrets management. Application secrets and API credentials are managed via environment variables in our cloud platforms. They are never committed to source control, never logged, and access is restricted to the small set of employees who require it for their role.

Data retention. We retain your DNS history for as long as your account is active. Database backups are retained on a rolling window. When an account is closed, customer data is deleted from our active systems and ages out of backups according to our retention schedule.

Real-time service status, historical uptime, and incident notices are published on our public status page. Customers can subscribe to receive notifications for incidents and scheduled maintenance.

Application and database backups are performed multiple times per day and stored encrypted offsite from primary infrastructure. We periodically test backup restoration to verify that recovery procedures work as expected.

Production workloads run across multiple availability zones at our cloud providers, allowing the service to absorb the loss of a single zone without customer-visible impact.

Employee access to production systems and customer data follows the principle of least privilege — access is granted only to the systems an individual needs for their role and is removed promptly when no longer required or when an employee leaves.

All admin accounts use strong passwords managed by a password manager and are required to have two-factor authentication enabled. Sensitive administrative actions are logged for audit purposes.

Production systems are monitored continuously for errors, anomalies, and performance regressions, with alerts routed to the team for response.

In the event of a confirmed security incident affecting customer data, we will notify affected customers without undue delay and consistent with applicable law. Communications will describe what happened, what data was affected, the steps we are taking, and what action you should consider taking.

Service-impacting incidents are communicated in real time via our status page.

We rely on a small number of trusted vendors to deliver ZoneWatcher. The following subprocessors may process customer data on our behalf:

• Railway — primary application and database hosting.
• Amazon Web Services — transactional email and supporting infrastructure (US regions).
• Cloudflare — CDN, DDoS protection, and Web Application Firewall.
• Stripe — payment processing and storage of payment instruments (PCI-DSS Level 1).
• GitHub — source control and dependency monitoring (Dependabot).

For an up-to-date list, including any vendors used for transactional email, customer support, or product analytics, please contact us.

Our handling of personal data is described in our Privacy Policy, and the legal terms governing use of the service are set out in our Terms of Service.

We take security very seriously at ZoneWatcher. If you believe you have found a vulnerability in our application or infrastructure, please email us at support@zonewatcher.com and we will respond as soon as possible.

You may view our security.txt file here to find more contact information & PGP Key.