Security

Infrastructure

• Hosted on Vercel with automatic TLS and edge caching.
• Database hosted on Supabase Cloud (AWS) with encryption at rest (AES-256) and in transit.
• All API traffic served over HTTPS. HTTP requests are upgraded automatically.
• Master API keys encrypted with AES-256-GCM before storage. Project keys are hashed with SHA-256.

Data Protection

• Events are append-only and immutable. No UPDATE or DELETE operations are supported on event data.
• Every event is content-hashed (SHA-256) at ingest time for tamper detection.
• Built-in PII redaction automatically detects and scrubs credit card numbers, SSNs, email addresses, phone numbers, and API keys before storage.
• Custom redaction rules let you define project-specific patterns.
• Tenant-scoped access controls ensure customers can only query their own events.

Authentication & Access

• API key authentication with constant-time comparison to prevent timing attacks.
• Viewer tokens are short-lived JWTs (1-hour default, 24-hour maximum) that enforce tenant-scoped read access.
• Dashboard authentication via Supabase Auth with magic link and Google OAuth support.
• All API responses include a unique request_id for audit trail and debugging.

Security Monitoring

• Built-in security alert detection for brute force attacks, privilege escalation, impossible travel, and mass deletion patterns.
• Webhook delivery for security alerts with HMAC signature verification.
• Custom detection rules with configurable thresholds and time windows.

Responsible Disclosure

If you believe you've found a security vulnerability in LogStitch, we want to hear about it. Please report it to security@logstitch.io. We ask that you give us reasonable time to address the issue before public disclosure.

Our security.txt file is available at the standard well-known URI.