FAQ - Security, Privacy and Compliance

Checkly

Checkly is the API & E2E monitoring platform for developers. Checkly monitors the correctness, performance, and uptime of APIs and web applications via synthetic monitoring mechanisms.

Being a Software as a Service, it operates as an external agent from the public internet with no need for installation within or privileged access to the user’s network.

Checkly can run two types of monitoring checks:

  1. API checks, which consist of one or more HTTP requests to a user-defined API endpoint
  2. Browser checks, which run a series of user-defined interactions on a web page through a headless browser.

Data such as response logs, timings, screenshots, and other similar artifacts are then processed and displayed on Checkly.

In short, Checkly:

  • Simulates browser click flows and API requests like a real end-user or connected services.
  • Has no access to the monitored application’s source code.
  • Only mock or test data should be used to run the tests.

Security Response

We operate a white hat program that encourages developers to investigate and collaborate with Checkly on security vulnerabilities. Please find more here: https://www.checklyhq.com/security/security-response/.

FAQ

Yes, Checkly is fully compliant with GDPR.
While following security and data protection industry best practices, Checkly itself is not certified as of now. Our authentication provider Auth0 is Soc2 Typ 2, ISO 27001, and 27018 certified. Our infrastructure providers Heroku and AWS maintain numerous certifications, including PCI, HIPAA, ISO, and SOC compliance.
Yes, Checkly operates a security response program that encourages developers to investigate and collaborate with Checkly on security vulnerabilities. Please find more here: https://www.checklyhq.com/security/security-response/.
Checkly’s network infrastructure is protected against volumetric attacks by their cloud providers, in addition to a dedicated DDoS mitigation service. Also, to protect the platform, Checkly’s system imposes rate limits on APIs and database calls.
We do not run any Linux or other servers. Our infrastructure is serverless and uses the provider’s firewalls and threat detection. Additionally, our providers have state of the art malware protection systems in place.
Brute-force protection, which safeguards against brute-force attacks from a single IP Address and targets a single user account, is enabled by default for all connections. Please find more details here: https://auth0.com/docs/attack-protection/brute-force-protection.
  • Check data: Users can create and edit JavaScript-based scripts that can run automatically to perform a check on an API / UI. Environment variables holding secrets are encrypted and obfuscated.
  • Check result data: Screenshots, HTTP response data, and execution logs.
  • System logs: Standard logging of Checkly’s Front- and Backend.
  • User Credentials are not held by Checkly but with our authentication provider Auth0.
  • Account data: Checkly processes the user name, email address, and account name.
  • Credit card and billing information are stored by our payment provider Stripe and on Checkly.
We are encrypting stored data End-to-End. We use HTTPS for all network traffic, encrypt our queueing traffic and use state of the art AES256 encryption for data-at-rest in our database.

Checkly logs account and user activity only to the extent needed to provide the service, for example, for billing and support purposes. The logged activity includes API access, overall check creation/execution, and similar activities. Detailed log data is purged after one month. Additionally:

  1. Customer accounts are deleted upon request.
  2. Check result data is rolled up after 1 month if not otherwise agreed with the customer, keeping only metadata.
  3. Log data is spread over two main systems: AWS and Papertrail. AWS data is retained for a maximum of 1 month after which it is purged. This includes logs generated by users. For Papertrail — which contains application-level logs — is searchable for 1 month, and retained for 1 year.
Yes, we can erase all account data on request.
  1. Data is continuously backed up and available for recovery up to 4 days ago.
  2. Our core system software can be restored and deployed from our codebase in case of catastrophic failure with minimal “human involvement”.
  3. Other check result data is stored redundantly on S3 and removed after 30 days.
  4. The above measures allow Checkly to fall back in the us-east-1 AWS region.
Customer data is logically split in the database per account.
  1. Our infrastructure is mostly serverless or cloud-based with generous scaling characteristics. All our core processing, storage, and queueing infrastructure can scale automatically when needed.
  2. Our web application and website are 100% static, using no servers or load balancers outside of a 3rd party CDN serving the static assets.
  3. Software control and updates are carried out daily using Dependabot; this way, we track vulnerabilities and critical updates to our production code.
Amazon Web Services (AWS), Heroku, and Vercel.
All data is stored in the European Union, AWS eu-west-1 (Ireland). Only check result data may be stored at the region the user executed the check.
We use RBAC, and all IAM controls available to us on the AWS infrastructure. Only qualified personnel has access to production infra. Checkly employees don’t have physical access to the data centers.
All backups are AES256 encrypted in an AWS S3 bucket.
Multi-factor authentication or Two-factor auth is by default on for all access to production infrastructure.
The infrastructure provider tracks access to core infrastructure. Any key changes to our codebase and infrastructure follow a code review process to enforce the four-eyes principle.
By default, the user authenticates via user name and password. We support single sign-on via social logins (Google, Github). SAML 2.0 and integrations like Microsoft AD are available for Enterprise users.