Security

Name: openstatus
Brand: openstatus
Availability: InStock

How openstatus protects your data, where it lives, and how to reach us if you find something.

Security at openstatus rests on three things: open-source code, the ability to self-host, and a public list of every system we touch. This page describes how we protect data in the hosted product and how to reach us if you find something.

Open by default

Auditable code

Every line of openstatus is on GitHub. You can read it, fork it, or open a pull request.

Self-hostable

Don't want your data on our infrastructure? Run openstatus on your own — the self-hosting guide walks through it.

Public sub-processors

The full list of services we use to run openstatus.dev is public at /subprocessors — no NDA, no trust center login.

Data protection

All traffic to openstatus.dev and the API is served over HTTPS with modern TLS. Data is encrypted at rest by our infrastructure providers — primary databases on Turso, analytics on Tinybird, application hosting on Vercel and Fly. The full list, with regions and purpose, is on the sub-processors page.

Application secrets — third-party tokens, webhook URLs, integration credentials — are stored as environment variables in our hosting providers, never committed to the repository. Integration credentials you submit (Slack bot tokens, OpsGenie keys, etc.) are stored encrypted in the database and stripped from audit log entries.

Authentication and access

You sign in with GitHub or Google OAuth. We never see or store your password.

API access uses scoped keys: a key with the read scope can only call read-only endpoints; a key with the write scope can mutate data. Scopes are enforced before any database lookup, so a read-only key can't even reach a write code path.

Every workspace is isolated. Every database read and write is filtered by workspace ID at the service layer — there is no shared state between workspaces.

Every mutation in your workspace — whether it comes from the dashboard, the API, MCP, or the Slack integration — is recorded in an append-only audit log. Workspace members on Pro can browse it at /audit-logs in the dashboard. If a teammate changes a monitor, deletes an integration, or rotates an API key, it's on record.

Where your data lives

We default to EU-hosted infrastructure wherever the provider offers it: queues on GCP (EU), analytics on Tinybird (EU), email on Resend (EU), product analytics on Openpanel (EU). Application hosting and the primary database run globally on Vercel, Fly, Koyeb, Railway and Turso.

The complete list, with purpose and region for each provider, lives at /subprocessors.

Operational practices

Every change to openstatus goes through a pull request on GitHub. PRs are reviewed by a human and by automated code review before merge. CI runs lint, type-check, and tests on every commit.

We publish a public changelog for every meaningful change to the product, so you can see what shipped and when.

Larger architectural decisions are written up as ADRs in the repo's /docs/adr folder, so the reasoning behind each one is on record.

Reporting a vulnerability

If you find a security issue, email ping@openstatus.dev. We acknowledge reports within three business days and keep you informed until the issue is resolved. The full disclosure policy is in SECURITY.md, and our RFC 9116 contact is at /.well-known/security.txt.

For privacy questions, see our privacy policy or email the same address.