Security
Last updated July 11, 2026
1. Overview
ErrTap is built so startups can ship observability without weakening their security posture. This page summarizes how we protect customer data across the control plane and the ingestion path.
2. Authentication and access
Dashboard access uses short-lived JWT sessions in httpOnly cookies. Organization roles (owner, admin, member, viewer) gate sensitive actions. Project ingestion uses DSN keys hashed at rest (SHA-256); keys can be rotated from settings.
3. Encryption
All traffic to the API and dashboard is encrypted with TLS. Secrets such as notification channel credentials are encrypted at rest with AES-256-GCM. Database and object storage rely on provider-managed encryption.
4. Ingestion hardening
The hot path validates DSN auth, applies per-project rate limits, and enqueues work asynchronously so a flood of events cannot write synchronously to the primary database. CORS for ingest is scoped to that surface only.
5. Isolation and least privilege
Projects are scoped within organizations. Application secrets are never logged in plaintext. Background workers and scheduled checks run with the minimum credentials required for their queue.
6. Monitoring and response
We monitor service health, failed jobs, and anomalous ingest patterns. Security-relevant mutations are written to an audit log. Suspected incidents are investigated and, where personal data is affected, we notify affected customers without undue delay.
7. Customer responsibilities
You control what your SDKs send. Scrub PII from payloads where possible, rotate DSNs after staff changes, and keep notification destinations under your control. Enterprise customers may request additional contractual terms via legal@errtap.com.
8. Vulnerability disclosure
If you believe you have found a security issue, email security@errtap.com with steps to reproduce. Please give us a reasonable window to investigate before public disclosure.
Questions? Email us at legal@errtap.com.