Security & compliance
How HowlOps protects your monitoring data: encryption everywhere, EU-only residency, audited access, and a transparent responsible-disclosure flow.
What we ship today, what’s next
We’d rather be honest about what’s certified, what’s mid-audit, and what’s still on the roadmap than overpromise. Status is updated when an item ships or when an audit milestone closes.
| ITEM | DETAIL | STATUS |
|---|---|---|
| GDPR compliance | EU-only data residency, signed DPA available on request | Live |
| SAML SSO | Premium tier; SP-initiated and IdP-initiated flows | Live |
| Audit logs | Tenant-scoped, 90d on Standard, 1y on Premium | Live |
| MFA enforcement | TOTP + WebAuthn passkeys for all account tiers | Live |
| SOC 2 Type II | Audit in progress — controls + evidence collection underway | In progress |
| Annual third-party pentest | Scheduled with external testing partner | Planned |
| Bug bounty programme | Public bounty on HackerOne or Intigriti | Planned |
How the platform stays locked down
Encryption everywhere
TLS 1.3 in transit. AES-256 at rest. Encrypted database backups. Secrets isolated in HashiCorp Vault.
Identity & access
TOTP + WebAuthn MFA, SAML SSO on Premium, role-based access control, scoped API tokens, session revocation.
EU-only data residency
Primary in Frankfurt, replica in Paris. No transfer outside EU without Standard Contractual Clauses.
Found a vulnerability? Here’s the playbook.
Email [email protected]. We won’t pursue legal action against researchers who follow the steps below.
Send a detailed report to the security email address below
We acknowledge receipt within 24 hours
We assess severity and begin remediation
We keep you informed of progress throughout
We publicly acknowledge your contribution (if desired)
Legal & procurement
Signed DPA available on request. Full subprocessor list published below.