A security page your
security team can actually use.

• Event envelopes: the type, name, correlationId, occurredAt, and whatever meta you choose to attach.
• Organization + team metadata provided by your auth provider (email, name, role) via Clerk.
• Billing metadata (plan, seats, subscription state). Card details never leave Stripe.

• Your payloads. The SDK attaches whatever you put in meta. You decide how much. Don't put PHI or raw PII in there.
• Your source code. The SDK runs client-side. We see only the calls you make.
• Your users' credentials. Auth is via Clerk. Upkeel never sees passwords.

• 365 days of event retention on every paid plan. Free trials get the same treatment.
• Audit logs follow the same window, exportable on Team and Enterprise.
• Up to 7 years for audit logs on Enterprise contracts that require it.
• A nightly worker sweep deletes anything past your window. We never shorten retention without written consent.

• Customer deletes an organization in Clerk → webhook soft-deletes the corresponding Upkeel customer within seconds.
• Historical events stay queryable for 30 days post-deletion (audit window), then are hard-deleted by the retention sweep.
• Request a full purge at any time - [email protected], we ack within 2 business days.

Hosted on major-provider cloud infrastructure in US East, fronted by a managed reverse proxy with TLS 1.3 and automatic certificate rotation. Persistent stores run inside a private network boundary; volumes are encrypted at rest with AES-256. Additional regions are added as enterprise customers require them.

Operational access is limited to named administrators with hardware-backed keys and a passphrase requirement. No shared credentials, no standing third-party access. Every privileged action against a customer's data is written to an immutable audit log.

Every release goes through CI: lint + typecheck + a real Postgres test suite, signed image builds, staged rollout with health-check gates. Staging always receives the change before production; rollbacks are one command.

Encrypted database snapshots run nightly and are retained per your plan's retention window (Basic/Pro) or a negotiated custom window. Restore drills run on staging ahead of each quarterly release so recovery stays muscle memory.

Your Clerk organization is the boundary. Members of the org see their org's data; no one else does. API keys are scoped to a single project within a single environment; they can only write events into that scope.

Available on Enterprise. Configured through our identity provider (Okta, Google Workspace, OneLogin, custom SAML are all supported). Required for teams with a compliance mandate.

Upkeel staff only access a customer's data when impersonating to debug an issue. Impersonation is explicit (requires a staff flag + a reason), displays an amber audit banner across the entire shell the whole time, and every action it initiates is written to an internal audit log.

Rotate at any time from Settings → Keys. The ingest service caches authenticated keys for 60 seconds. After that, a revoked key is fully rejected. For zero-downtime rotation, create a new key, deploy it, then revoke the old one.

Security-affecting incident: we post a detailed note on status.upkeel.dev within 2 hours of detection, email every affected org admin within 24 hours, and publish a post-mortem within 14 days. Non-security outages: status page only.

Suspect a security issue in Upkeel? Email [email protected]. For responsibly-disclosed vulnerabilities we'll ack within 24 hours, fix within 30 days, and credit you publicly if you want.