Security, Privacy, and Data Governance

At supaguard, we understand that synthetic monitors often interact with sensitive parts of your application—login forms, payment pages, and internal dashboards. Our security architecture is designed to give you full monitoring visibility without compromising your security posture.

1. Data Encryption

All data is encrypted both in transit and at rest:

• In Transit: All communication between monitoring nodes and the control plane uses TLS 1.2+ encryption
• At Rest: Organization metadata, check configurations, and trace artifacts are encrypted using industry-standard AES-256 encryption
• Secrets: Environment variables are encrypted with a separate key and are never logged or exposed in traces

2. Dynamic Secret Scrubbing

supaguard automatically identifies and masks sensitive patterns in your logs and traces to prevent accidental exposure of:

• API Keys and Bearer Tokens
• Passwords and MFA codes
• Credit card numbers (Luhn algorithm detection)
• Social Security Numbers and similar PII patterns

[!TIP] To ensure maximum security, always use Organization Variables for sensitive data. These are injected as environment variables at runtime and are never stored in plain text. See Environment Variables for details.

3. Execution Isolation

Every check runs in a stateless, ephemeral container:

• Fresh Context: No cookies, storage, or cache are shared between runs or between organizations
• Immediate Cleanup: Containers are destroyed within milliseconds of check completion
• Resource Isolation: Each execution gets its own CPU, memory, and network allocation
• No Shared State: Even sequential runs of the same check start from a completely clean environment

4. Network Security

supaguard monitoring nodes use a defined set of IP addresses for outbound connections:

• Static IPs: Available for firewall allowlisting so you can restrict access to known monitoring sources
• No Inbound Access: Monitoring nodes never accept inbound connections from the public internet
• DNS-over-HTTPS: DNS resolution uses encrypted channels to prevent DNS spoofing

[!IMPORTANT] If your application is behind a firewall or VPN, you'll need to allowlist supaguard's IP addresses. See Firewall Allowlisting for the full list.

5. Artifact Retention

Monitoring artifacts are retained based on your plan:

After the retention period, artifacts are permanently deleted and cannot be recovered.

6. Compliance & GDPR

supaguard is built on Microsoft Azure, inheriting its world-class compliance certifications:

• SOC 2 Type II — Verified security controls
• ISO 27001 — Information security management
• GDPR Compliant — Full compliance with European data protection regulation

Data Residency

• Regional Data Residency: Choose to run and store your data exclusively within the EU or US
• Data Processing Agreements (DPA): Available for Enterprise customers upon request

Your Data Rights

• Data Export: Request a full export of your organization data at any time
• Data Deletion: Request complete deletion of all data, including check results and artifacts
• Access Control: Role-based access control ensures only authorized team members can view sensitive data

7. Responsible AI

supaguard's AI features (test generation, failure classification) follow responsible AI principles:

• No Training on Your Data: Your scripts, URLs, and test results are never used to train AI models
• Opt-In AI Features: AI generation is optional — you can always write manual scripts
• Transparent Classification: Failure classification decisions are explainable and auditable

---

Secure Your Monitoring

• Managing Secrets — Store credentials securely
• Firewall Allowlisting — Allow supaguard through your firewall
• Global Network — Our monitoring infrastructure