Nurbak Security
Your monitoring data is sensitive. Here is what we protect, how we protect it, and what we never collect in the first place.
We monitor your APIs from outside (synthetic checks across 4 regions) and from inside (instrumentation.ts). At every step, traffic is encrypted in transit, data is encrypted at rest, and the footprint is minimized to the smallest possible surface.
Every health check, metric upload, and alert delivery runs over TLS 1.3 with HSTS enforced. Plain HTTP is rejected.
Response codes, latency samples, error rates, and account data are encrypted at rest with AES-256. Backups live in a separate encryption domain.
API keys and bearer tokens used to monitor authenticated endpoints are wrapped with envelope encryption. Tokens are never stored or logged in plaintext.
All traffic between your servers, our probes, our dashboard, and alert channels uses TLS 1.3. HSTS is enforced for nurbak.com and watch.nurbak.com.
Persistent monitoring data and customer credentials are encrypted at rest with AES-256-GCM and authenticated tags.
Customer API keys used for authenticated checks are wrapped with KMS-managed data keys, so a database compromise alone does not expose tokens.
The safest data is the data we never have. Nurbak Watch is built to know as little about your business as possible.
We capture status codes, headers you opt in to, and timing data (DNS, TLS, TTFB, total). The body of your API response is never read or stored.
Nurbak monitors your routes, not your users. We never collect identifiers, IPs, or behavior data about people calling your APIs.
No Facebook Pixel, no ad networks, no session replay. We use first-party privacy-friendly analytics only.
Probes run from 4 global regions. Customer data is stored in the EU by default; Team customers can pin storage to EU, US, or both.
Detailed metrics are retained 30 days on Free, 90 days on Pro. Aggregates are kept longer; raw probe data is deleted on schedule.
No advertising trackers, no session replay tools. Operational logs are scrubbed of secrets and rotated within 14 days.
We only inspect status codes, response headers you explicitly opt into, and timing data (DNS, TLS, TTFB, total). We do not capture or store response bodies, so the actual content your API returns to users is never visible to Nurbak.
By default, monitoring data is stored in the EU. Team plan customers can pin storage to EU, US, or both. All data is encrypted at rest with AES-256, and backups live in a separate encryption domain.
Yes. Nurbak Watch acts as a Data Processor for the operational data you send us. We minimize data by design โ no end-user identifiers, no request bodies, no PII. A Data Processing Agreement is available on request.
Authentication tokens used to call your protected endpoints are encrypted with envelope encryption (AES-256-GCM with KMS-managed keys). They are decrypted only at probe execution time and never logged. You can rotate or revoke them from the dashboard at any time.
Encrypted-at-rest databases would expose only ciphertext. KMS keys are not stored alongside the data. We monitor for anomalies, rotate credentials on a fixed schedule, and would notify customers within 72 hours of any confirmed compromise โ sooner where regulation requires.
Health checks, latency tracking, multi-region monitoring, and instant alerts. Everything you need to keep your APIs healthy in production.
Start free โ no card