Start Free ✦

Monitoring

Website Monitoring SSL Certificates Ping (ICMP) Port (TCP) DNS Records Keyword Cron Jobs PageSpeed AI Bot

Features

Multi-Region Monitoring Response Time Tracking Incident Management

Tools

All Tools What is My IP Subnet Calculator MX Lookup Blacklist Checker SSL Checker Website Speed Test DNS Lookup Traceroute Uptime Calculator

Resources

Compare Alternatives Use Cases Glossary Contact
Pricing Blog
Login Start Free

Security & Compliance

Comprehensive information about our security architecture, data protection measures, compliance certifications, and responsible disclosure practices.

Security Overview

Security is foundational to AtomPing. As a monitoring platform trusted with your infrastructure data, we implement defense-in-depth strategies across application, network, and physical layers.

This page provides transparency into our security architecture, practices, and certifications. If you identify a vulnerability, please report it responsibly to support@atomping.com with subject "Security Report".

Security Principles:

  • Defense in Depth: Multiple layers of security controls
  • Least Privilege: Minimal permissions for users, services, and employees
  • Zero Trust: Verify every request, never assume trust
  • Transparency: Open communication about security practices and incidents

Infrastructure Security

Cloud Hosting & Compliance

  • Providers: AWS, Google Cloud, or Azure (region-dependent)
  • Certifications: SOC 2 Type II, ISO 27001, PCI-DSS Level 1 (payment infrastructure)
  • Data Centers: Tier III+ facilities with 24/7 security, biometric access, redundant power
  • Geographic Distribution: Multi-region deployment for high availability and disaster recovery

Network Security

  • DDoS Protection: Layer 3/4/7 mitigation via cloud provider WAF and rate-limiting
  • Firewall: Stateful firewalls, allowlist-based ingress rules
  • Network Segmentation: Isolated VPCs for control plane, agents, databases
  • Intrusion Detection: IDS/IPS monitoring for anomalous traffic patterns

Database Security

  • Encryption at Rest: AES-256 for all database volumes (PostgreSQL + TimescaleDB)
  • Encryption in Transit: TLS 1.3 for all database connections
  • Access Controls: Role-based access, principle of least privilege
  • Automated Backups: Daily encrypted backups with 30-day retention, tested restore procedures
  • Audit Logging: All queries logged for security audits

Containerization & Orchestration

  • Container Security: Minimal base images (Alpine Linux), no root processes
  • Image Scanning: Automated vulnerability scanning for all Docker images
  • Orchestration: Kubernetes with network policies, pod security standards
  • Secret Management: Kubernetes secrets encrypted at rest, rotated regularly

Encryption Standards

Data in Transit

  • TLS 1.3: All HTTPS traffic (TLS 1.2 minimum, deprecated protocols disabled)
  • Certificate Management: Let's Encrypt with automated rotation
  • HSTS: HTTP Strict Transport Security enforced (max-age=31536000, includeSubDomains)
  • Perfect Forward Secrecy (PFS): Ephemeral key exchange (ECDHE)
  • Cipher Suites: Only strong ciphers enabled (AES-GCM, ChaCha20-Poly1305)

Data at Rest

  • Database: AES-256 encryption for PostgreSQL/TimescaleDB volumes
  • File Storage: S3/GCS server-side encryption (SSE-KMS)
  • Backups: Encrypted backups stored in separate region/account
  • Application Secrets: Passwords hashed with bcrypt (cost factor 12), API keys encrypted with AES-256-GCM

Key Management

  • KMS: AWS KMS, Google Cloud KMS, or Azure Key Vault for encryption keys
  • Key Rotation: Automated rotation every 90 days
  • Access Control: IAM policies restrict key access to authorized services only

Application Security

Authentication

  • JWT Tokens: Stateless authentication with HMAC-SHA256 signing
  • Token Expiry: Short-lived access tokens (1 hour), refresh tokens (30 days)
  • Password Policy: Minimum 12 characters, complexity requirements, breach detection via HaveIBeenPwned
  • Multi-Factor Authentication (MFA): TOTP-based 2FA available (recommended for all accounts)
  • Brute Force Protection: Rate limiting, account lockout after 5 failed attempts

Authorization

  • Role-Based Access Control (RBAC): Admin, Member, Viewer roles with scoped permissions
  • API Key Scoping: Restrict API keys to specific resources and operations
  • Session Management: Server-side session validation, automatic logout after inactivity

Input Validation & Output Encoding

  • SQL Injection Prevention: Parameterized queries (Django ORM), no raw SQL
  • XSS Protection: Content Security Policy (CSP), React auto-escaping, DOMPurify for user-generated content
  • CSRF Protection: Double-submit cookie pattern, SameSite=Strict
  • Command Injection: No shell=True in subprocess calls, allowlist validation

Dependency Management

  • Vulnerability Scanning: Automated scanning with Dependabot/Renovate
  • Patching Cadence: Critical vulnerabilities patched within 48 hours
  • Minimal Dependencies: Only trusted, actively maintained libraries
  • License Compliance: No GPL/AGPL dependencies in proprietary code

Security Monitoring & Incident Response

Logging & Auditing

  • Application Logs: All authentication events, authorization failures, API calls logged
  • Audit Trail: Immutable logs for compliance (GDPR, SOC 2)
  • Retention: Security logs retained for 1 year
  • Centralized Logging: ELK stack or cloud-native logging for correlation

Intrusion Detection

  • Anomaly Detection: Behavioral analysis for unusual access patterns
  • Failed Login Monitoring: Alerts on brute force attempts
  • API Abuse Detection: Rate limiting, anomalous request patterns

Incident Response Plan

  • Team: Dedicated security incident response team (on-call 24/7)
  • Response Time: Critical incidents acknowledged within 1 hour
  • Procedure: Containment, Forensics, Remediation, Post-Mortem
  • Communication: Transparent status updates via email and status page

Data Breach Notification (GDPR Compliance)

  • Timeline: Supervisory authority notified within 72 hours
  • User Notification: Affected users notified if high risk to rights/freedoms
  • Documentation: Full incident report with root cause analysis

Access Control & Employee Security

Employee Access

  • Background Checks: All employees undergo background verification
  • Least Privilege: Employees granted only necessary permissions
  • MFA Required: Multi-factor authentication mandatory for all internal systems
  • Access Reviews: Quarterly audits of employee permissions
  • Offboarding: Access revoked immediately upon termination

Production Access

  • Principle of Least Privilege: No direct production database access (read replicas only for debugging)
  • Audit Logging: All production access logged and reviewed
  • Justification Required: Break-glass access requires approval + ticket

Third-Party Vendors

  • Vendor Assessment: Security questionnaires for all vendors with data access
  • Data Processing Agreements (DPA): Contractual obligations for GDPR compliance
  • Minimal Access: Vendors granted only necessary permissions

Compliance & Certifications

Current Certifications

  • GDPR Compliance: Full compliance with EU General Data Protection Regulation
  • CCPA Compliance: California Consumer Privacy Act requirements met
  • PCI-DSS: Payment card industry compliance via Stripe (Level 1 Service Provider)

In Progress / Planned

  • SOC 2 Type II: In progress (expected completion: H2 2026)
  • ISO 27001: Information security management system certification (planned 2027)

Framework Alignment

  • OWASP Top 10: Application security aligned with OWASP best practices
  • NIST Cybersecurity Framework: Identify, Protect, Detect, Respond, Recover
  • CIS Controls: Center for Internet Security critical security controls

Security Testing & Validation

Automated Testing

  • Static Application Security Testing (SAST): Bandit (Python), ESLint (TypeScript)
  • Dependency Scanning: Snyk, GitHub Dependabot
  • Container Scanning: Trivy for Docker image vulnerabilities
  • CI/CD Integration: Security checks in every pull request

Manual Testing

  • Penetration Testing: Annual third-party pentests (black-box and gray-box)
  • Code Reviews: Security-focused reviews for authentication, authorization, data handling
  • Threat Modeling: STRIDE analysis for new features

Bug Bounty Program

  • Status: Launching 2026
  • Scope: *.atomping.com, API endpoints, agent infrastructure
  • Rewards: Tiered rewards based on severity (CVSS scoring)

Business Continuity & Disaster Recovery

High Availability

  • Multi-Region Deployment: Active-active across 2+ geographic regions
  • Load Balancing: Health-checked load balancers with automatic failover
  • Database Replication: Multi-AZ PostgreSQL with synchronous replication
  • Target Uptime: 99.9% SLA for Pro/Business plans (see SLA)

Disaster Recovery

  • Backup Strategy: Daily automated backups with 30-day retention
  • RTO (Recovery Time Objective): 4 hours
  • RPO (Recovery Point Objective): 1 hour (maximum data loss)
  • DR Testing: Quarterly disaster recovery drills
  • Geographic Separation: Backups stored in separate region

Responsible Vulnerability Disclosure

We appreciate the security community's efforts to keep AtomPing secure. If you discover a vulnerability, please report it responsibly.

Reporting Process

Email: support@atomping.com with subject "Security Report - [Brief Description]"

Please include:

  • Vulnerability description and impact
  • Steps to reproduce (proof-of-concept)
  • Affected endpoints/components
  • Your contact information (for follow-up)

Our Commitment

  • Acknowledgment: Within 24 hours
  • Initial Assessment: Within 72 hours
  • Resolution Timeline: Critical: 48 hours, High: 7 days, Medium: 30 days
  • Coordinated Disclosure: We will work with you on disclosure timeline
  • Recognition: Credit in security advisories (unless you prefer anonymity)

Safe Harbor

  • We will not pursue legal action for good-faith security research
  • You must not access/modify user data beyond what is necessary for demonstration
  • You must not perform denial-of-service or resource exhaustion attacks
  • You must not publicly disclose vulnerabilities before coordinated disclosure date

Contact Information

For security-related questions or concerns, please contact us:

  • Company: Atomix Apps, LLC
  • Jurisdiction: Delaware, United States
  • Email: support@atomping.com
  • Security Reports: Subject line "Security Report"
  • PGP Key: Available upon request

Related Pages