Security & Trust

How we protect your data and what to do if you discover a security issue.

Updated April 2026 6 min read

1 Security Overview

Security is foundational to Media Luna. As an uptime monitoring platform, we have access to your infrastructure's endpoints — we take that responsibility seriously. This page describes our security practices and how to report vulnerabilities.

2 Encryption

In Transit

All data transmitted between clients and Media Luna servers is encrypted using TLS 1.2 or higher. We enforce HTTPS on all endpoints and use HSTS to prevent downgrade attacks. Probe-to-backend communication is also encrypted in transit.

At Rest

All database volumes and storage are encrypted using AES-256. Sensitive fields (authentication credentials stored for monitoring, API keys, TOTP secrets) receive additional application-level encryption on top of the storage-level encryption.

Passwords

User passwords are hashed using bcrypt with per-user salts. We never store, log, or transmit plaintext passwords.

3 Infrastructure Security

  • Hosting: Media Luna is hosted on Amazon Web Services (AWS) in US and EU regions. We leverage AWS's physical security certifications and infrastructure hardening.
  • Network isolation: Services run within isolated VPCs with security groups restricting ingress and egress to only what's necessary. Database servers are not publicly accessible.
  • Multi-tenancy isolation: Strict account-level data isolation is enforced at the database query level — every query is filtered by account_id. Users can never access another account's data.
  • DDoS protection: AWS Shield and CloudFront provide DDoS mitigation for publicly accessible endpoints.
  • Security headers: All responses include HSTS, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy headers.
  • Dependency management: We use automated tools to detect and remediate vulnerable dependencies.

4 Application Security

  • SSRF protection: Media Luna executes health checks against user-configured endpoints. We implement SSRF (Server-Side Request Forgery) protections to prevent our probes from being used to scan internal networks, cloud metadata endpoints, or other restricted resources.
  • Rate limiting: API endpoints are rate-limited to prevent abuse and brute-force attacks. Authentication endpoints have additional protections including account lockout after repeated failed attempts.
  • Two-factor authentication (2FA): TOTP-based two-factor authentication is available for all user accounts and strongly recommended for accounts with ADMIN or EDITOR roles.
  • Role-based access control: Three roles — ADMIN, EDITOR, and VIEWER — follow the principle of least privilege. VIEWER accounts have read-only access and cannot modify monitors or notification settings.
  • API key scoping: Developer API keys can be scoped to specific permissions. Keys are hashed in storage and displayed only once upon creation.
  • Input validation: All user inputs are validated and sanitized server-side to prevent injection attacks (SQL injection, command injection, path traversal).
  • Audit logging: All authentication events, configuration changes, and data access are logged with timestamps and actor information.

5 What We Do NOT Do

  • We do not sell your data to any third party
  • We do not store payment card numbers — all payment data is handled by Stripe, Inc. (PCI-DSS compliant)
  • We do not use your monitoring data for advertising or profiling
  • We do not grant employees access to customer data except as needed to provide support, and only with your knowledge or as required by law
  • We do not retain deleted account data beyond the 30-day export window (except billing records required by law)

6 SOC 2 Compliance

We are currently working toward SOC 2 Type II certification. In the meantime, enterprise customers can request our Security Questionnaire (CAIQ-Lite) and review our security controls documentation by contacting [email protected].

7 Incident Response

In the event of a security incident, we follow a structured response process:

  • Detection: Automated alerting on anomalous access patterns, error rates, and infrastructure events
  • Containment: Affected systems are isolated immediately upon confirmation of a breach
  • Notification: Affected customers will be notified within 72 hours of confirmed breach, as required by GDPR Article 33 — see our Data Processing Agreement for breach notification terms
  • Post-incident: Root cause analysis and remediation steps are completed and, where appropriate, shared with customers

8 Responsible Disclosure Policy

We believe that security researchers play an important role in keeping our platform and customers safe. If you discover a security vulnerability in Media Luna, please report it to us responsibly.

How to Report

  • Email: [email protected] (PGP key available on request)
  • Subject line: "Responsible Disclosure: [brief description]"

Please Include

  • A clear description of the vulnerability
  • Steps to reproduce (proof-of-concept code or screenshots if possible)
  • The potential impact and any affected components
  • Your contact information for follow-up

What to Expect from Us

  • Acknowledgment within 2 business days
  • An initial assessment within 5 business days
  • Regular updates on remediation progress
  • Credit in our security acknowledgements (if desired) upon fix

Safe Harbor

We will not pursue legal action against security researchers who:

  • Act in good faith
  • Limit their testing to their own accounts or non-production environments
  • Do not access or modify other users' data
  • Report findings promptly and confidentially

Out of Scope

The following are out of scope for responsible disclosure: social engineering attacks, physical attacks on our offices, denial-of-service testing against production systems, and spam or phishing campaigns.