Security

Trust, earned.

Security is the foundation of a monitoring product. Here is exactly what we do to keep your data safe, and how to report a vulnerability if you find one.

Last updated · May 2026

1. Infrastructure

Region: AWS eu-central-1 (Frankfurt) — data never leaves the EU in primary form
Compute: dedicated VPC, private subnets, no public DB access
Network: WAF (rate limiting, common-pattern protection) in front of public endpoints
Backups: encrypted automated snapshots, 30-day retention, restore drills quarterly
Patching: OS images rebuilt weekly with the latest CVE patches

2. Encryption

In transit: TLS 1.2 minimum, TLS 1.3 preferred. HSTS enforced with preload. Modern cipher suites only; no SSLv3, no RC4, no export-grade ciphers
At rest: AES-256 (RDS, S3, EBS volumes). KMS-managed keys with automatic rotation
Passwords: bcrypt with cost factor 12; per-user salt
API tokens: stored as SHA-256 hashes. The raw token is shown once at generation and never persisted
Stripe payment data: tokenized on Stripe's side; we never see your card PAN, only the last 4 digits and brand

3. Authentication

Email + password with rate limiting (5 failed attempts → 1-minute lockout, escalating)
Password reset links: single-use, signed, expire in 60 minutes
Verification required for new email addresses before sensitive actions
Coming soon: TOTP-based 2FA and SAML SSO for Enterprise

4. Authorization & isolation

Multi-tenant architecture: every database row is keyed to an organization ID, enforced at the model layer and re-checked at the controller layer
Role-based access controls: owner manages billing & team; member uses features
Super-admin impersonation is logged, time-limited, and never used without an explicit support ticket
SSRF protection: outbound HTTP probes refuse to connect to private IP ranges (RFC 1918, link-local, loopback, metadata services)

Cerberops is a tool that itself makes outbound HTTP requests on your behalf. That means SSRF is a real concern. Our prober explicitly blocks 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8, AWS/GCP metadata endpoints, and more.

5. Secure development

All code merged via pull request with at least one human reviewer
Automated static analysis (PHPStan level max, cs-fixer) on every PR
Automated dependency vulnerability scanning (Composer audit, npm audit)
Quarterly dependency upgrade sprints
Production deploys go through staging first; rollback in < 60 seconds
Secrets in AWS Secrets Manager — never in code, never in environment files committed to git

6. Logging & audit

All authentication events (login, logout, password change, token generation) are logged
All administrative actions (member invite, role change, billing change) are audit-logged with actor + IP
Logs retained for 12 months, shipped to a write-once log store
Access to production data is logged and reviewed quarterly

7. Responsible disclosure

If you find a security issue, please report it before publishing. We treat reporters fairly:

Email: duty@cerberops.io (PGP key available on request)
We acknowledge within 24 hours and aim to triage within 72 hours
We won't pursue legal action against good-faith research
Out-of-scope: social engineering of staff, physical attacks, DoS on production
Hall-of-fame credit available with permission

For general security questions: duty@cerberops.io.