Security at DNS Watchdog
DNS Watchdog is built on AWS with tenant-isolated infrastructure and end-to-end encryption. We operate security controls aligned with SOC 2 Trust Service Criteria and GDPR principles, with formal SOC 2 Type II audit engagement beginning Q1 2027.
To report a vulnerability, email us at the address above. We acknowledge reports within one business day and provide regular status updates until resolution. Critical vulnerabilities are triaged immediately upon receipt. We ask that you allow a reasonable remediation window before public disclosure.
- GDPRAligned
- SOC 2 Type IIQ1 2027
- ISO 27001H2 2027
We operate security controls aligned with SOC 2 Trust Service Criteria today. Formal audit engagement begins Q1 2027. Request our pre-audit controls matrix at security@dnswatchdog.io.
Cloud & Network Security
AWS eu-west-2 (London)
Backend hosted on AWS in the eu-west-2 London region using AWS SAM serverless architecture.
Encryption in Transit
TLS 1.2 is the minimum enforced version on all public endpoints, including the API Gateway custom domain and S3 access via CloudFront.
Encryption at Rest
DynamoDB tables are encrypted at rest using AWS-managed keys. S3 screenshot storage is encrypted at rest using AES-256 server-side encryption.
Serverless Architecture
Backend uses AWS Lambda with no persistent compute instances, eliminating SSH access, OS patching, and long-lived server processes as attack surfaces.
Vercel Frontend
Frontend hosted on Vercel with edge-network delivery. All traffic is served over HTTPS.
AWS Services
Architecture built on Lambda, API Gateway, DynamoDB, S3, SQS, and EventBridge.
How we protect your data
Tenant Isolation
Tenant isolation is enforced at the infrastructure level. Every API request is scoped to the authenticated organization using AWS IAM session policies — not application logic alone. Cross-tenant data access is architecturally impossible without a valid, scoped credential.
Encryption at Rest
DynamoDB tables are encrypted at rest using AWS-managed keys. S3 screenshot storage is encrypted at rest using AES-256 server-side encryption.
Backups & Point-in-Time Recovery
Critical tables (providers, archive, user preferences, notes, subscriptions) have point-in-time recovery enabled. S3 screenshots are retained for 365 days with lifecycle transitions to lower-cost storage tiers.
Credential Storage
DNS provider credentials support a read-only access mode. Credentials are encrypted using AWS KMS and scoped so they are accessible only to the owning tenant.
Retention, Deletion & Portability
Retention Policy
Customer data is retained for the duration of the active subscription. DNS records, scan results, and screenshots are stored for up to 365 days. Audit logs are retained for 12 months.
Account Termination
Upon contract termination or account deletion, all customer data is permanently purged within 30 days. A certificate of data destruction is available on request.
Data Portability
Customers can export all their data at any time via the API or dashboard. Exports include DNS records, scan history, provider configurations, and audit logs in standard formats (JSON/CSV).
Code-Level Protections
Input Validation
All API request bodies are validated using Pydantic v2 models with strict Python typing enforced by mypy. Requests that fail schema validation are rejected with a structured error response.
Dependency Scanning
Automated vulnerability detection and static security analysis run as mandatory steps in the CI/CD pipeline. Deployment is blocked on failure.
Rate Limiting
Per-tenant request limits protect the platform from abuse. When limits are exceeded, the API returns HTTP 429 with a Retry-After header.
Secure Coding Practices
Comprehensive linting, security-focused static analysis, property-based testing with Hypothesis for input fuzzing, and a minimum 90% code coverage requirement enforced in CI.
Authentication & authorization
Authentication Provider
User authentication is handled by Clerk with support for email/password, Google OAuth, and SSO via SAML. Account recovery is available through email-based password reset and verified backup codes.
Multi-Factor Authentication
MFA is available via authenticator apps (TOTP) and SMS verification. Organizations can enforce MFA at the organization level for all members.
Session Management
Sessions expire after 7 days of inactivity (configurable per organization on request). Concurrent sessions are supported across devices, and administrators can revoke any active session immediately.
API Authentication
API requests are authenticated using JWT-based token validation. Tokens expire after 1 hour and are verified on every request by backend middleware before processing.
Authorization Model
User roles and permissions control access to resources within a tenant. Role-based access ensures users can only view and modify resources their assigned role permits.
Resilience & Recovery
Uptime Target
DNS Watchdog targets 99.9% monthly uptime for the API and dashboard. Real-time status is published at status.dnswatchdog.io.
Resilience Architecture
The serverless architecture auto-scales with demand and has no single points of failure. DynamoDB provides multi-AZ replication by default. SQS queues buffer work during traffic spikes.
Backup & Recovery
Point-in-time recovery enables restoration to any second within the retention window. Recovery Time Objective (RTO) is under 1 hour. Recovery Point Objective (RPO) is under 5 minutes.
Monitoring, Response & Disclosure
Monitoring & Alerting
CloudWatch metrics and structured logs track API latency, error rates, Lambda invocations, and DynamoDB throttles. Alerts fire on anomalous error spikes or sustained latency and are delivered via email and Slack.
Incident Response
A defined incident process covers detection through automated alerts, triage to assess severity and scope, containment to limit blast radius, resolution with root-cause fix, and a blameless post-mortem documenting lessons learned.
Vulnerability Disclosure
Report vulnerabilities to security@dnswatchdog.io. We acknowledge reports within one business day and provide regular status updates until resolution. Critical vulnerabilities are triaged immediately upon receipt.
Patching Practices
Critical security patches are applied within 72 hours for actively-exploited vulnerabilities and within 7 days for all other critical CVEs. Dependency vulnerabilities are tracked via automated scanning in CI with alerts on new advisories.
Third-Party Data Processors
The following third parties process customer data on our behalf. All subprocessors are bound by data processing agreements and maintain their own compliance certifications.
| Provider | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, compute, storage, and database | eu-west-2 (London, UK) |
| Clerk | User authentication and identity management | United States |
| Vercel | Frontend hosting and edge delivery | Global edge network |
| Sentry | Error monitoring and performance tracking | United States |
| Stripe | Payment processing and subscription billing | United States |
Report a Vulnerability
If you discover a security vulnerability, please report it responsibly. We acknowledge reports within one business day and provide regular status updates until resolution. Critical vulnerabilities are triaged immediately upon receipt.
security@dnswatchdog.ioRequest Our Security Pack
Need to complete a vendor security assessment? We can provide our pre-audit controls matrix, architecture diagrams, DPA, and responses to standard questionnaires (SIG Lite, CAIQ).
Request security packLegal & Compliance Documents
Review our legal agreements and data processing documentation.