Security Policy

Last updated: 12 March 2026

At PathWatch, security is foundational to everything we build. As a monitoring platform trusted to observe your infrastructure, we hold ourselves to the highest standards of data protection and operational security.

1. Reporting a Vulnerability

If you discover a security vulnerability in PathWatch, we appreciate your help in disclosing it responsibly.

• Email: security@pathwatch.app
• Response time: We aim to acknowledge reports within 48 hours and provide an initial assessment within 5 business days.
• Scope: All PathWatch services including pathwatch.app, app.pathwatch.app, and api.pathwatch.app.

Please include as much detail as possible: steps to reproduce, potential impact, and any proof of concept. Do not access or modify other users’ data during your research.

2. What We Protect

Data in Transit

• All connections use TLS 1.2 or higher. Plaintext HTTP is never accepted.
• Communication between runners and the API uses mutual TLS (mTLS) with client certificate authentication.
• API request payloads are signed with HMAC-SHA256 to prevent tampering.
• Cloud-dispatched check results use AES-256-GCM payload encryption.

Data at Rest

• Passwords are hashed using bcrypt with a high work factor.
• API keys and runner tokens are hashed before storage — we never store them in plaintext.
• Secrets are never written to log files or diagnostic output.
• Database volumes use encrypted storage.

Authentication & Access Control

• Session cookies: HttpOnly, Secure, SameSite=Lax. Never accessible to client-side JavaScript.
• Two-factor authentication (2FA): TOTP-based 2FA available for all accounts.
• Passkey support: WebAuthn/FIDO2 passwordless authentication.
• OAuth: Sign in with Google and GitHub. No passwords stored for social logins.
• Organisation-scoped isolation: Every resource is scoped by organisation. Cross-tenant data access is architecturally impossible.
• Role-based access control: Owner, Admin, and Member roles with granular permissions.

3. Infrastructure Security

Hosting

• Core infrastructure runs on Hetzner Cloud in Helsinki, Finland (EU).
• Monitoring checks are executed from multiple cloud regions across AWS, GCP, and Azure.
• All environments (production, staging, development) are fully isolated with separate credentials, databases, and network boundaries.

Network

• Cloudflare provides CDN, DDoS protection, and DNS.
• HSTS with includeSubDomains and preload enforced across all domains.
• Content Security Policy restricts script, style, and resource loading to trusted origins.
• Rate limiting on authentication endpoints to prevent brute-force attacks.

Runner Security

• Runner containers use a read-only filesystem with no shells or package managers.
• Container images are signed to prevent tampering.
• Runtime integrity verification: SHA-256 hashes of all runner code are verified at startup and periodically during operation.
• SSRF protection: Runners block requests to private IP ranges, link-local addresses, and cloud metadata endpoints.

4. Development Practices

• TypeScript strict mode across all services with no use of any types.
• Zod validation on all API request and response schemas.
• No eval(), new Function(), or dynamic code execution — enforced as a hard security policy.
• Dependency auditing with automated vulnerability scanning.
• Static analysis with Semgrep for security-focused code review.
• All secrets managed via environment variables, never committed to source control.

5. Incident Response

In the event of a security incident affecting customer data:

• We will notify affected customers within 72 hours of confirming the breach, as required by UK GDPR.
• We will provide clear details of what happened, what data was affected, and what actions we are taking.
• We will report to the Information Commissioner’s Office (ICO) where required by law.
• Post-incident, we conduct a thorough review and publish a summary of findings and remediation steps.

6. Compliance

• UK GDPR and the Data Protection Act 2018 — PathWatch is operated by Vertexion Ltd, registered in England and Wales.
• Paddle serves as our Merchant of Record, handling PCI DSS compliance for payment processing.
• We do not use tracking cookies, advertising pixels, or analytics that collect personal data.

7. Contact

For security concerns, vulnerability reports, or questions about our security practices:

• Security: security@pathwatch.app
• Privacy: privacy@pathwatch.app
• General: support@pathwatch.app