Appearance
Security
Built so the boring questions have boring answers.
Tenant isolation, PII scrubbing, EU residency, and signed webhooks are foundational — not features layered on for the compliance checkbox.
Tenant isolation
Three layers, not one.
Cross-tenant data leakage is the failure mode that ends a SaaS. We invested early so it can't happen, even when a future PR forgets a WHERE clause.
URL identity per tenant
Every customer lives at their own subdomain. The auth layer cross-checks the subdomain against the session on every request and returns 404 on mismatch — no existence leak to a probe.
Application-layer scoping
Every query that touches tenant data is scoped to the requesting organisation, defensively, even when the database layer would already block it.
Database-level isolation
Tenant-data tables enforce row-level access at the database. A code regression that omits a scope filter still can't return another customer's rows.
PII handling
What we don't store is the point.
The fastest way to fail a privacy review is to keep more data than you need. We mask aggressively at ingest, then forget.
Scrub at ingest
Email addresses, IPv4 and IPv6, common API key shapes, JWT or Bearer tokens — all masked before the event row hits storage.
Unredacted never persists
The scrub function runs before persistence. There is no "raw" archive. If the scrub fails, the event is dropped rather than logged unredacted.
Customer-controlled exclusions
Per-project inbound filters drop events by tag, environment, or release. Roadmap: regex-based body filters.
No session replay. No profiling.
We deliberately do not store DOM snapshots, request bodies, or memory profiles. Less data is less privacy surface.
Residency + transport
EU customers stay in the EU. Everyone gets TLS.
EU ingest pinned to EU
A separate ingest endpoint resolves to EU infrastructure. Contractual, not aspirational. SCC-ready for non-EU recipients of incident data.
TLS 1.2+ only
Modern cipher suite. HSTS preloaded. Plain-HTTP traffic is redirected at the edge.
Customer list stays private
Our certificate strategy doesn't enumerate tenants in public transparency logs. Who we work with is our business — and yours.
Outbound signing
Receivers know we sent it.
HMAC-SHA256 per destination
Each alert destination gets a 256-bit signing secret at creation. Every webhook POST carries an X-ErrLens-Signature header for the receiver to verify.
Rotate via delete + re-add
No secret is reused across destinations. Rotation is intentional — delete, re-add, paste the new secret into the receiver.
Backoff that doesn't spam
Transient failures retry with exponential delay. 4xx errors fail permanently after one attempt rather than re-fire forever.
Operational hygiene
The boring DevOps bits.
Encrypted backups
Daily encrypted backups, held separately from the running service. Restore tested on a schedule.
Replay-safe schema changes
Every database migration is safe to re-run. Disaster-recovery replays don't leave the schema in a half-applied state.
No proprietary lock-in
Standard wire protocol means an export-and-migrate path always exists. Switching costs are a competitive choice, not a moat.
Need our DPA, ROPA, or sub-processor list?
Email and we'll send them. EU-based primary hosting and a separate EU sub-processor for off-platform backups. Names disclosed in the DPA.