Skip to main content

Security Overview

PingSLA is built with security as a core requirement, not an afterthought.

Data Encryption

LayerProtection
Data in transitTLS 1.2+ enforced on all endpoints
Data at restAES-256 encryption on all database volumes
PasswordsBcrypt with cost factor 12 (never stored plaintext)
API keysStored as SHA-256 hashed values — never recoverable after creation
Webhook secretsEncrypted at rest using AES-256-GCM

Network Architecture

Internet
└── Cloudflare (DDoS protection + WAF)
└── AWS Application Load Balancer (TLS termination)
└── EC2 (private subnet)
└── Nginx reverse proxy
├── pingsla.com (marketing static)
├── app.pingsla.com (SPA)
├── api.pingsla.com (Node backend)
└── docs.pingsla.com (docs static — isolated)

The docs site and application backend are fully isolated — docs are static files with no access to the application database or internal services.

Probe workers run in isolated VMs with:

  • No persistent storage
  • No access to customer data
  • Outbound-only connections (to monitored endpoints)
  • Rotated credentials on each deployment

Authentication Security

  • JWT access tokens expire in 15 minutes
  • Refresh tokens are httpOnly, Secure, SameSite=Strict cookies
  • Token rotation on every refresh
  • Concurrent session limit enforced (configurable on Enterprise)
  • API keys are single-use display (shown once, stored hashed)

Rate Limiting

All API endpoints are rate-limited at the Nginx and application layer:

  • Authentication endpoints: 5 requests / 15 minutes per IP
  • API endpoints: plan-dependent (see Usage Limits →)
  • Probe endpoints: internal only, not publicly accessible

Security Headers

All HTTPS responses include:

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: camera=(), microphone=(), geolocation=()
Content-Security-Policy: [context-appropriate policy]

OWASP Top 10 Coverage

RiskControl
InjectionParameterized queries, input validation
Broken AuthShort-lived JWTs, httpOnly cookies, rate limiting
Sensitive Data ExposureEncryption at rest and in transit
XXEJSON-only API, no XML parsing
Broken Access ControlRBAC enforced on every endpoint
Security MisconfigurationHardened Nginx config, CSP, HSTS
XSSCSP, output encoding, React DOM escaping
Insecure DeserializationJSON.parse with schema validation
Known VulnerabilitiesAutomated dependency scanning (Dependabot)
Logging & MonitoringFull audit logs, anomaly detection

Responsible Disclosure

To report a security vulnerability:

  1. Do not open a public GitHub issue
  2. Email security@pingsla.com
  3. Use PGP encryption if possible (key at pingsla.com/.well-known/security.txt)
  4. Include: description, reproduction steps, impact assessment
  5. We commit to acknowledging within 24 hours and resolving within 90 days depending on severity

Compliance

StandardStatus
GDPRCompliant — DPA available on request
SOC 2 Type IIIn progress
ISO 27001Roadmap

Data Residency

By default, all data is stored in AWS us-east-1 (N. Virginia). Enterprise customers can request EU-only or APAC-only data residency.