Traxo
← Back to home

Security

Last updated: March 11, 2026

At Traxo, security is foundational to everything we build. As an uptime monitoring platform, we understand that our customers trust us with access to their infrastructure. We take that responsibility seriously and maintain rigorous security practices across every layer of our system.

Infrastructure

Our infrastructure is designed with defense in depth:

  • Containerized deployment: All services run in isolated Docker containers with minimal base images, reducing the attack surface
  • Isolated worker processes: Probe workers that execute uptime checks run in separate, isolated processes with restricted network access. Workers cannot access the main application database directly.
  • Network segmentation: Internal services communicate through private networks. Only the web application and API endpoints are publicly accessible.
  • Redundant systems: Critical components are deployed with redundancy to ensure availability and resilience against failures
  • Regular updates: Dependencies and base images are regularly updated to patch known vulnerabilities

Data Encryption

We encrypt data both in transit and at rest:

  • TLS everywhere: All connections to Traxo are encrypted using TLS 1.2 or higher. We enforce HTTPS across all endpoints and HSTS headers are set on all responses.
  • Database encryption: PostgreSQL connections use encrypted TLS/SSL channels. Sensitive fields are encrypted at the application layer where appropriate.
  • Redis encryption: Redis connections used for job queues and caching are secured with authentication and encrypted transport.
  • Backup encryption: Database backups are encrypted before storage

Authentication

Traxo implements robust authentication mechanisms:

  • Password hashing: All passwords are hashed using bcrypt with appropriate cost factors. We never store or log plaintext passwords.
  • JWT tokens: Session management uses JSON Web Tokens (JWT) with secure signing algorithms and appropriate expiration times
  • OAuth 2.0: We support Google OAuth for secure third-party authentication, reducing the need for password-based login
  • API key authentication: API keys are generated with cryptographic randomness. Only a hashed version is stored in the database; the key prefix is retained for identification purposes only. Full API keys are displayed once at creation and cannot be recovered.
  • Session invalidation: Users can sign out from all devices, which invalidates all active sessions

Access Control

Traxo enforces strict access control at multiple levels:

  • Role-based access control (RBAC): Every organization member is assigned one of three roles:
    • Owner — Full access, including billing, member management, and organization deletion
    • Admin — Can manage monitors, alerts, status pages, and incidents, but cannot manage billing or delete the organization
    • Member — Read-only access to monitors and incidents, can acknowledge alerts
  • Organization isolation: All data is scoped to organizations. Users can only access monitors, incidents, and settings belonging to their organization.
  • API key scoping: API keys are tied to a specific organization and user, with prefix masking for safe display in the UI
  • Route protection: Middleware enforces authentication on all dashboard and API routes. Unauthorized requests are rejected before reaching application logic.

Monitoring & Logging

We monitor our own infrastructure with the same rigor we offer our customers:

  • Comprehensive logging of authentication events, API access, and administrative actions
  • Real-time alerting on anomalous activity patterns
  • Automated monitoring of system health, performance metrics, and error rates
  • Log retention policies aligned with our data retention commitments
  • Logs are stored in append-only format to prevent tampering

Incident Response

We maintain a documented incident response process:

  • Detection: Automated systems detect security events in real time
  • Triage: Security incidents are classified by severity and assigned to the appropriate team
  • Containment: Immediate steps are taken to contain the threat and prevent further damage
  • Investigation: Root cause analysis is conducted to understand the scope and impact
  • Remediation: Fixes are deployed and verified
  • Notification: Affected customers are notified within 72 hours of confirming a data breach, in compliance with GDPR and other applicable regulations
  • Post-mortem: We conduct blameless post-mortems and publish findings where appropriate

Vulnerability Disclosure

We encourage responsible disclosure of security vulnerabilities. If you discover a potential security issue in Traxo, please report it to us:

When reporting a vulnerability, please include:

  • A description of the vulnerability and its potential impact
  • Detailed steps to reproduce the issue
  • Any proof-of-concept code or screenshots
  • Your contact information for follow-up

We commit to the following in our disclosure program:

  • Acknowledging receipt of your report within 2 business days
  • Providing an initial assessment within 5 business days
  • Working with you to understand and resolve the issue
  • Not taking legal action against researchers who follow responsible disclosure practices
  • Crediting researchers (with permission) in our security advisories

Please do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it. We ask for a minimum of 90 days from initial report before public disclosure.

Third-Party Security

We carefully evaluate the security practices of all third-party services we integrate with:

  • RevenueCat: Secure subscription management and payment processing. Card data never touches our servers.
  • Google OAuth: Enterprise-grade authentication provider with robust security controls
  • Resend: Email delivery with TLS encryption and DKIM/SPF authentication
  • Twilio: SOC 2 Type II certified communications platform for SMS delivery

We regularly review our third-party dependencies for known vulnerabilities using automated scanning tools and update them promptly when security patches are available.

Compliance

Traxo is committed to maintaining compliance with applicable security standards and regulations:

  • GDPR: We comply with the General Data Protection Regulation for processing personal data of EU residents. See our GDPR page for details.
  • SOC 2: We are working toward SOC 2 Type II certification
  • Data Protection: We implement technical and organizational measures to protect personal data in accordance with applicable data protection laws

Contact

For security-related inquiries or to report a vulnerability: