FAQ - Security, Privacy and Compliance
Checkly
Checkly is the API & E2E monitoring platform for developers. Checkly monitors the correctness, performance, and uptime of APIs and web applications via synthetic monitoring mechanisms.
Being a Software as a Service, it operates as an external agent from the public internet with no need for installation within or privileged access to the user’s network.
Checkly can run two types of monitoring checks:
- API checks, which consist of one or more HTTP requests to a user-defined API endpoint
- Browser checks, which run a series of user-defined interactions on a web page through a headless browser.
Data such as response logs, timings, screenshots, and other similar artifacts are then processed and displayed on Checkly.
In short, Checkly:
- Simulates browser click flows and API requests like a real end-user or connected services.
- Has no access to the monitored application’s source code.
- Only mock or test data should be used to run the tests.
Security Response
We operate a white hat program that encourages developers to investigate and collaborate with Checkly on security vulnerabilities. Please find more here: https://www.checklyhq.com/security/security-response/.
FAQ
- Check data: Users can create and edit JavaScript-based scripts that can run automatically to perform a check on an API / UI. Environment variables holding secrets are encrypted and obfuscated.
- Check result data: Screenshots, HTTP response data, and execution logs.
- System logs: Standard logging of Checkly’s Front- and Backend.
- User Credentials are not held by Checkly but with our authentication provider Auth0.
- Account data: Checkly processes the user name, email address, and account name.
- Credit card and billing information are stored by our payment provider Stripe and on Checkly.
Checkly logs account and user activity only to the extent needed to provide the service, for example, for billing and support purposes. The logged activity includes API access, overall check creation/execution, and similar activities. Detailed log data is purged after one month. Additionally:
- Customer accounts are deleted upon request.
- Check result data is rolled up after 1 month if not otherwise agreed with the customer, keeping only metadata.
- Log data is spread over two main systems: AWS and Papertrail. AWS data is retained for a maximum of 1 month after which it is purged. This includes logs generated by users. For Papertrail — which contains application-level logs — is searchable for 1 month, and retained for 1 year.
- Data is continuously backed up and available for recovery up to 4 days ago.
- Our core system software can be restored and deployed from our codebase in case of catastrophic failure with minimal “human involvement”.
- Other check result data is stored redundantly on S3 and removed after 30 days.
- The above measures allow Checkly to fall back in the us-east-1 AWS region.
- Our infrastructure is mostly serverless or cloud-based with generous scaling characteristics. All our core processing, storage, and queueing infrastructure can scale automatically when needed.
- Our web application and website are 100% static, using no servers or load balancers outside of a 3rd party CDN serving the static assets.
- Software control and updates are carried out daily using Dependabot; this way, we track vulnerabilities and critical updates to our production code.