Security you can verify.
obseria.io is built on independently audited certifications, strong encryption, and strict access controls — not self-assessments.
99.99%
Uptime SLA
Enterprise tier
AES-256
Encryption at rest
TLS 1.3 in transit
< 4 h
Vuln response SLA
48 h patch SLA
Annual
Pen test cadence
Independent third party
Certifications
Independently audited & certified
Every certification is verified by an independent third-party auditor. Reports and documentation are available under NDA on request.
SOC 2 Type II
Verified security, availability, and confidentiality controls
Our SOC 2 Type II audit is conducted annually by an independent third-party auditor covering all five Trust Services Criteria. A copy of the full report is available to customers and prospects under NDA.
GDPR
Full compliance with EU data protection regulations
obseria.io is fully compliant with the EU General Data Protection Regulation. We provide a Data Processing Agreement for all customers and support EU-only data residency on Pro and Enterprise plans.
ISO 27001
International standard for information security management
Our ISO 27001 certification covers the obseria.io cloud platform and supporting infrastructure, verifying our systematic approach to managing sensitive information through a formal risk management process.
HIPAA
Healthcare data protection and privacy compliance
HIPAA compliance covering Business Associate Agreement availability, PHI handling procedures, and audit log retention for healthcare customers. Full certification expected Q3 2026.
PCI DSS
Payment card industry data security standard compliance
PCI DSS Level 1 compliance covering cardholder data environments and payment processing pipelines monitored through obseria.io. Expected certification Q4 2026.
Security practices
How we protect your data
Encryption everywhere
All data encrypted in transit with TLS 1.3 and at rest with AES-256. Keys managed via AWS KMS with automatic 90-day rotation. Bring-your-own-key (BYOK) available on Enterprise.
Access controls
Role-based access control with fine-grained permissions. SSO via SAML 2.0 and OIDC. MFA enforced for all obseria.io employees. Hardware security keys required for production access.
Infrastructure security
Hosted on AWS with VPC isolation, private subnets, and no direct internet access to data stores. All infrastructure changes go through a peer-reviewed IaC pipeline with automated vulnerability scanning.
Audit & compliance
Comprehensive audit logs for all API calls and user actions, retained for 12 months. SIEM integration available. Annual penetration testing by an independent third party with a public bug bounty programme.
Responsible disclosure
We maintain a coordinated disclosure programme. Critical reports receive an acknowledgement within 4 hours and a patch within 48 hours. Researchers are credited publicly if desired.
Vendor risk management
All third-party sub-processors are reviewed annually. Our list is publicly available and customers are notified 30 days before any additions with a right to object.
Sub-processors
Who handles your data
We maintain a complete list of all sub-processors that may process customer telemetry data. Customers are notified at least 30 days before any new sub-processor is added, with a right to object.
Request full sub-processor listAmazon Web Services (AWS)
Cloud infrastructure — US-East, EU-West
Cloudflare
DDoS protection, CDN, DNS
Stripe
Payment processing
Twilio SendGrid
Transactional email
PagerDuty
On-call escalation integration
Penetration testing
Annual independent pen test
Full-scope penetration test annually by an independent firm covering the API, web application, internal network, and social engineering vectors. All findings are remediated within 30 days and re-tested. Customers may request a summary under NDA.
Responsible disclosure
Report a vulnerability
We welcome coordinated disclosure from security researchers. Reports are acknowledged within 4 hours, with critical patches shipped within 48 hours. Researchers who wish to be credited publicly will be recognised after resolution.
Questions about security?
Our security team is happy to answer questions, provide documentation, or schedule a technical deep-dive before you sign.