zappline← Back to site

Trust & Security

You point Zappline at the things that matter most to your business. Here is how we earn that, and what we do to protect your data.

Last updated · June 21, 2026

AES-256
Encryption at rest, TLS 1.3 in transit
99.99%
Target uptime for the monitoring control plane
SOC 2
Type II audit in progress, report on request

Security program

Security is owned by our engineering leadership and reviewed continuously, not once a year. We follow the principle of least privilege, keep an auditable change history, and run regular internal reviews and third party testing of the Service.

Infrastructure and hosting

The Service runs on hardened cloud infrastructure with reputable providers that maintain their own SOC 2 and ISO 27001 certifications. Production is isolated from development, secrets are managed in a dedicated vault, and infrastructure is defined as code so changes are reviewed before they ship.

Data protection

  • All traffic is encrypted in transit with TLS 1.3, with older protocols disabled.
  • Data at rest is encrypted with AES-256.
  • We store the timing and status of your checks, not the contents of your pages, beyond what is needed to evaluate the assertions you configure.
  • Backups are encrypted and tested for restorability.

Access control

Access to production is restricted to a small on call group, gated behind single sign on and mandatory two factor authentication, and logged. We provision and deprovision access promptly as roles change. Customer data is accessed only when needed to operate the Service or to support you at your request.

Reliability

Our monitoring control plane is built for redundancy across regions, so a failure in one location does not blind your alerts. We monitor ourselves the way you monitor your own systems, and we publish our status publicly. Probe locations are distributed across 23 cities on 6 continents.

Compliance and privacy

We are completing a SOC 2 Type II audit and can share the report under NDA. We support requirements under the GDPR, UK GDPR, and CCPA / CPRA, including data subject requests and a Data Processing Addendum for customers who need one. See our Privacy Policy for how we handle personal data.

Subprocessors

We use a short list of vetted vendors to run the Service, covering cloud hosting, payment processing, transactional email and alert delivery, and error monitoring. Each is bound by contract to protect your data and to use it only to provide their service to us. We will publish the current list and give notice before adding a new subprocessor that touches personal data. Request the up to date list at [email protected].

Responsible disclosure

We welcome reports from security researchers. If you believe you have found a vulnerability, email [email protected] with details and steps to reproduce. Please give us reasonable time to fix the issue before any public disclosure, and do not access or modify data that is not yours. We will not pursue legal action against good faith research that follows this guidance.

Incident response

We maintain an incident response plan with defined roles and communication paths. If an incident affects your data, we will investigate, contain it, and notify affected customers without undue delay, with the facts we have and the steps we are taking.

Questions about this page? Write to [email protected].