How we handle your data.
A plain-English overview of the infrastructure, encryption, and practices behind Beaconmon. No marketing fluff — just what we actually do.
Infrastructure
Compute — Hetzner Cloud
Beaconmon runs on Hetzner Cloud servers located in Nuremberg, Germany (EU). Hetzner is ISO 27001 certified and operates its own data centers. We use dedicated VPS instances with no shared CPU resources.
Database — Neon (PostgreSQL)
All persistent data is stored in Neon, a serverless PostgreSQL provider running on AWS us-east-2. Neon encrypts data at rest using AES-256 and provides point-in-time recovery. We use connection pooling and separate direct/pooled URLs — migrations only run from controlled environments.
Edge & DDoS protection — Cloudflare
All traffic to beaconmon.com passes through Cloudflare. Cloudflare handles TLS termination (TLS 1.2 minimum, TLS 1.3 preferred), DDoS mitigation, and bot protection. The origin IP is not publicly exposed.
Cache — Redis (self-hosted)
Redis is self-hosted in the same stack as the application, used for job queues and status page caching. It is not exposed to the internet. AOF persistence is enabled. Redis is configured with noeviction policy — queue jobs are never silently dropped under memory pressure.
Encryption
In transit
All connections between your browser and Beaconmon are encrypted via TLS 1.2+. Internal service-to-service communication happens within the same private network and does not traverse the public internet. Database connections from workers to Neon use TLS.
At rest
Database data at rest is encrypted by Neon (AES-256). Session tokens are stored as hashed values — the raw token is never persisted. Alert channel credentials (Slack webhook URLs, custom webhook secrets) are stored encrypted in the database.
Passwords
Beaconmon supports email magic links (no passwords) and optional password-based login. All passwords are hashed with bcrypt (cost factor 12) and the plaintext is never logged or stored.
Access controls
Tenant isolation
Every database query that touches user data is scoped to a team ID. There is no code path that allows one team to read another team's monitors, check results, or alert channels. This is enforced at the repository layer, not the API layer — so it cannot be bypassed by route bugs.
Role-based access
Teams have three roles: Owner (full access + billing), Admin (full access, no billing), and Viewer (read-only). Role is checked on every mutation. Viewers cannot create, edit, or delete anything.
Rate limiting
Monitor creation is rate-limited to 20 requests per hour per team. Auth endpoints are rate-limited to 10 requests per 15 minutes per IP. Rate limit state is stored in Redis. If Redis is unavailable, limits fail open rather than blocking legitimate traffic.
Internal access
No Beaconmon employee has routine access to customer monitor data. Database access for debugging requires an explicit, time-limited connection from a developer machine. We do not have a customer support portal that exposes raw data.
GDPR & data privacy
Data location
Primary compute is in Germany (EU). Database is on Neon (AWS us-east-2, US). If your data residency requirements mandate EU-only storage, Beaconmon may not be the right fit today — we're working on an EU database option.
What we store
We store your email address, team name, monitor configurations, check results, incidents, and alert channel configs. We do not store the content of the sites you monitor beyond what is needed for content change detection (one snapshot per change event).
Data retention
Check results are retained for 365 days for all plans. If you delete your account, all associated data is deleted within 30 days. We do not sell your data to third parties.
Cookies
We use one session cookie for authentication. No tracking cookies, no third-party ad cookies. We use Sentry for error tracking (which may capture browser metadata on exceptions) and that's it.
Responsible disclosure
If you discover a security vulnerability in Beaconmon, please report it to us before making it public. We take security reports seriously and will respond within 48 hours.
Email: security@beaconmon.com
We do not have a bug bounty program at this time, but we will acknowledge your contribution publicly if you wish.