obseria.io for Enterprise — SSO, SAML & dedicated support.
obseria.io
All systems operational

Security you can verify.

obseria.io is built on independently audited certifications, strong encryption, and strict access controls — not self-assessments.

99.99%

Uptime SLA

Enterprise tier

AES-256

Encryption at rest

TLS 1.3 in transit

< 4 h

Vuln response SLA

48 h patch SLA

Annual

Pen test cadence

Independent third party

Certifications

Independently audited & certified

Every certification is verified by an independent third-party auditor. Reports and documentation are available under NDA on request.

SOC 2Type II
Certified

SOC 2 Type II

Verified security, availability, and confidentiality controls

Our SOC 2 Type II audit is conducted annually by an independent third-party auditor covering all five Trust Services Criteria. A copy of the full report is available to customers and prospects under NDA.

GDPR
Certified

GDPR

Full compliance with EU data protection regulations

obseria.io is fully compliant with the EU General Data Protection Regulation. We provide a Data Processing Agreement for all customers and support EU-only data residency on Pro and Enterprise plans.

ISO27001
Certified

ISO 27001

International standard for information security management

Our ISO 27001 certification covers the obseria.io cloud platform and supporting infrastructure, verifying our systematic approach to managing sensitive information through a formal risk management process.

HIPAA
Coming 2026

HIPAA

Healthcare data protection and privacy compliance

HIPAA compliance covering Business Associate Agreement availability, PHI handling procedures, and audit log retention for healthcare customers. Full certification expected Q3 2026.

PCIDSS
Coming 2026

PCI DSS

Payment card industry data security standard compliance

PCI DSS Level 1 compliance covering cardholder data environments and payment processing pipelines monitored through obseria.io. Expected certification Q4 2026.

Security practices

How we protect your data

Encryption everywhere

All data encrypted in transit with TLS 1.3 and at rest with AES-256. Keys managed via AWS KMS with automatic 90-day rotation. Bring-your-own-key (BYOK) available on Enterprise.

Access controls

Role-based access control with fine-grained permissions. SSO via SAML 2.0 and OIDC. MFA enforced for all obseria.io employees. Hardware security keys required for production access.

Infrastructure security

Hosted on AWS with VPC isolation, private subnets, and no direct internet access to data stores. All infrastructure changes go through a peer-reviewed IaC pipeline with automated vulnerability scanning.

Audit & compliance

Comprehensive audit logs for all API calls and user actions, retained for 12 months. SIEM integration available. Annual penetration testing by an independent third party with a public bug bounty programme.

Responsible disclosure

We maintain a coordinated disclosure programme. Critical reports receive an acknowledgement within 4 hours and a patch within 48 hours. Researchers are credited publicly if desired.

Vendor risk management

All third-party sub-processors are reviewed annually. Our list is publicly available and customers are notified 30 days before any additions with a right to object.

Sub-processors

Who handles your data

We maintain a complete list of all sub-processors that may process customer telemetry data. Customers are notified at least 30 days before any new sub-processor is added, with a right to object.

Request full sub-processor list

Amazon Web Services (AWS)

Cloud infrastructure — US-East, EU-West

Cloudflare

DDoS protection, CDN, DNS

Stripe

Payment processing

Twilio SendGrid

Transactional email

PagerDuty

On-call escalation integration

Penetration testing

Annual independent pen test

Full-scope penetration test annually by an independent firm covering the API, web application, internal network, and social engineering vectors. All findings are remediated within 30 days and re-tested. Customers may request a summary under NDA.

Web appAPIInfrastructureSocial engineering

Responsible disclosure

Report a vulnerability

We welcome coordinated disclosure from security researchers. Reports are acknowledged within 4 hours, with critical patches shipped within 48 hours. Researchers who wish to be credited publicly will be recognised after resolution.

Initial response< 4 hours
Critical patch SLA< 48 hours
Disclosure window90 days
security@obseria.io

Questions about security?

Our security team is happy to answer questions, provide documentation, or schedule a technical deep-dive before you sign.