We take the security of your monitoring data seriously. This page describes the technical and organizational measures we use to protect your data, your accounts, and our platform.
All services run on Google Cloud Run, a fully managed serverless platform. No persistent VMs to patch or maintain.
Container images are built with ko, a Go-native builder that produces distroless images with no OS layer, shell, or package manager — drastically reducing attack surface.
Every service runs with min_instances=0 and scales to zero when idle. No long-lived infrastructure to compromise.
All traffic is encrypted with TLS 1.2 or higher. Internal service-to-service communication uses Google's encrypted network fabric.
Services are fronted by Google's global load balancer with built-in DDoS protection. There are no static IPs, open ports, or directly addressable hosts.
Container images are stored in Google Artifact Registry with automatic cleanup policies (7-day TTL, keep 5 latest) to limit exposure of old images.
PostgreSQL database connections require SSL. All data at rest is encrypted using AES-256 by the database provider.
Database credentials and secrets are stored with 0600 file permissions and managed through Google Cloud Secret Manager.
Project tokens and API keys are cryptographically hashed before being persisted. Raw keys are shown only once at creation time.
Check result data is retained based on your plan tier: 7 days (Free), 30 days (Starter), or 365 days (Pro). Data is automatically purged after the retention window.
Telesis monitors HTTP endpoints externally. We never access, store, or process your application source code or internal data.
User authentication is handled by Firebase Authentication, supporting Google OAuth and email/password with secure session management.
Four permission levels — Owner, Admin, Write, Read — let you control exactly who can view, modify, or manage your monitoring configuration.
CI/CD integrations use project tokens that are scoped to specific organizations and can be revoked instantly.
The CLI authenticates via browser-based OAuth flow. No passwords are stored on disk or transmitted to our servers.
All Connect-RPC API endpoints use protobuf schema validation (protovalidate) to reject malformed input before it reaches business logic.
All API endpoints are rate-limited to prevent abuse and protect against denial-of-service attacks.
CORS is configured per environment. All responses include Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, and X-Content-Type-Options headers.
Every commit is scanned with gosec (Go security checker) and golangci-lint with security-focused linters. Code cannot merge without passing these checks.
Automated security scanning runs in CI to detect known vulnerabilities in both Go and JavaScript dependencies.
GCP Error Reporting captures and aggregates errors in real time, with automatic alerting for new error patterns.
OpenTelemetry tracing and metrics are instrumented across all services, providing full request lifecycle visibility.
Every service exposes liveness and readiness health check endpoints. Unhealthy instances are automatically replaced by the platform.
All administrative actions — service creation, check configuration changes, team member invitations, and alert rule modifications — are recorded in an immutable audit log.
We are actively working toward SOC 2 Type II certification to formally demonstrate our security controls and practices.
We are committed to GDPR compliance. Data processing agreements are available on request, and region-specific data processing is on our roadmap.
You can request complete deletion of your account and all associated data at any time by contacting security@telesis.dev.
If you discover a security vulnerability in Telesis, we encourage responsible disclosure. Please report it to us so we can address it promptly.
Report via email
Send details to security@telesis.dev. Include steps to reproduce, impact assessment, and any relevant screenshots or logs.
Our commitment
We will acknowledge your report within 48 hours, provide an initial assessment within 5 business days, and keep you informed of our remediation progress. We will not take legal action against researchers who act in good faith.
Scope
Our disclosure policy covers the Telesis web application, API, CLI, and self-hosted agent. Third-party services (Firebase, Supabase, Google Cloud) should be reported to their respective security teams.
All data is stored in a PostgreSQL database hosted by Supabase, with encrypted connections and AES-256 encryption at rest. Backend services run on Google Cloud Platform in the australia-southeast1 region.
API keys and project tokens are cryptographically hashed using one-way hashing before being stored in the database. The raw key is displayed only once at creation time and cannot be retrieved afterward. Keys can be revoked instantly from the dashboard.
Yes. You can delete individual services and checks from the dashboard, which removes all associated monitoring data. For complete account deletion, contact security@telesis.dev and we will purge all your data within 30 days.
We follow a structured incident response process: identify, contain, eradicate, recover, and review. Affected customers are notified within 72 hours of confirmed data breaches. Post-incident reports are published for transparency.
No. Telesis performs external synthetic monitoring only — HTTP/HTTPS requests to your public endpoints. We never access your internal network, source code, databases, or private infrastructure unless you explicitly deploy a self-hosted agent.
Self-hosted agents initiate outbound connections to Telesis over TLS. They do not require inbound firewall rules or open ports. Agent-to-platform communication is authenticated and encrypted.