Security
We take the security of your telemetry data seriously. Here's how we protect it.
Encryption in transit
All data is encrypted using TLS 1.3. We enforce HTTPS across all endpoints. No plain-text communication.
Encryption at rest
Data stored in PostgreSQL is encrypted at rest using AES-256. Backups are also encrypted.
API key authentication
All SDK ingest uses scoped API keys. Keys are hashed before storage โ we cannot retrieve your key, only verify it.
Multi-tenant isolation
Every query is scoped by organizationId. Your traces are never visible to other organizations.
Rate limiting
Ingest endpoints are rate-limited per API key to prevent abuse. Limits are documented and visible in your dashboard.
Audit logging
Critical operations (API key creation, plan changes, member invites) are logged and visible in your account.
Infrastructure
We host on Railway infrastructure in the United States (us-east4). Railway provides DDoS protection, network-level firewall, and private networking between services.
Our database is PostgreSQL with TimescaleDB for time-series span data. We maintain daily backups with 7-day retention.
We use Redis for rate limiting and session management. Session tokens expire after 30 days of inactivity.
Responsible disclosure
If you discover a security vulnerability, please report it responsibly. We will acknowledge your report within 24 hours and aim to resolve critical issues within 7 days.
Report to: security@tracehawk.dev
Please do not disclose publicly until we have had a chance to address the issue. We appreciate responsible disclosure and will credit researchers in our changelog.