Security Overview
PingSLA is built with security as a core requirement, not an afterthought.
Data Encryption
| Layer | Protection |
|---|---|
| Data in transit | TLS 1.2+ enforced on all endpoints |
| Data at rest | AES-256 encryption on all database volumes |
| Passwords | Bcrypt with cost factor 12 (never stored plaintext) |
| API keys | Stored as SHA-256 hashed values — never recoverable after creation |
| Webhook secrets | Encrypted at rest using AES-256-GCM |
Network Architecture
Internet
└── Cloudflare (DDoS protection + WAF)
└── AWS Application Load Balancer (TLS termination)
└── EC2 (private subnet)
└── Nginx reverse proxy
├── pingsla.com (marketing static)
├── app.pingsla.com (SPA)
├── api.pingsla.com (Node backend)
└── docs.pingsla.com (docs static — isolated)
The docs site and application backend are fully isolated — docs are static files with no access to the application database or internal services.
Probe workers run in isolated VMs with:
- No persistent storage
- No access to customer data
- Outbound-only connections (to monitored endpoints)
- Rotated credentials on each deployment
Authentication Security
- JWT access tokens expire in 15 minutes
- Refresh tokens are httpOnly, Secure, SameSite=Strict cookies
- Token rotation on every refresh
- Concurrent session limit enforced (configurable on Enterprise)
- API keys are single-use display (shown once, stored hashed)
Rate Limiting
All API endpoints are rate-limited at the Nginx and application layer:
- Authentication endpoints: 5 requests / 15 minutes per IP
- API endpoints: plan-dependent (see Usage Limits →)
- Probe endpoints: internal only, not publicly accessible
Security Headers
All HTTPS responses include:
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: camera=(), microphone=(), geolocation=()
Content-Security-Policy: [context-appropriate policy]
OWASP Top 10 Coverage
| Risk | Control |
|---|---|
| Injection | Parameterized queries, input validation |
| Broken Auth | Short-lived JWTs, httpOnly cookies, rate limiting |
| Sensitive Data Exposure | Encryption at rest and in transit |
| XXE | JSON-only API, no XML parsing |
| Broken Access Control | RBAC enforced on every endpoint |
| Security Misconfiguration | Hardened Nginx config, CSP, HSTS |
| XSS | CSP, output encoding, React DOM escaping |
| Insecure Deserialization | JSON.parse with schema validation |
| Known Vulnerabilities | Automated dependency scanning (Dependabot) |
| Logging & Monitoring | Full audit logs, anomaly detection |
Responsible Disclosure
To report a security vulnerability:
- Do not open a public GitHub issue
- Email security@pingsla.com
- Use PGP encryption if possible (key at pingsla.com/.well-known/security.txt)
- Include: description, reproduction steps, impact assessment
- We commit to acknowledging within 24 hours and resolving within 90 days depending on severity
Compliance
| Standard | Status |
|---|---|
| GDPR | Compliant — DPA available on request |
| SOC 2 Type II | In progress |
| ISO 27001 | Roadmap |
Data Residency
By default, all data is stored in AWS us-east-1 (N. Virginia). Enterprise customers can request EU-only or APAC-only data residency.