security

Your traces are yours. We just help you read them faster.

Incidentary was built by engineers who have debugged production incidents at 3am — and who know that the tooling you trust in a crisis has to earn that trust long before the page fires. Here is how we handle your data.

encryptionAES-256 + TLS 1.2+
sdk licenseApache 2.0
isolationstrict tenant
disclosure< 2 days ack

data protection

How we protect your data

Encryption at rest and in transit

All data is encrypted with AES-256 at rest and TLS 1.2+ in transit. Your causal events never travel unprotected.

No sensitive payload storage

The SDKs capture timing, structure, and causal relationships — not request bodies, query results, or user data. You control what gets instrumented.

Tenant isolation

Every workspace operates in strict isolation. Data, credentials, and configuration are separated at every layer of the stack.

Retention controls

You choose how long traces are stored. When the retention window closes, data is permanently deleted — not archived, not moved, deleted.

SDK source transparency

The Node.js, Python, and Go SDKs are Apache 2.0 licensed. Read every line. Fork freely. Know exactly what runs in your infrastructure.

Access controls

Team-level permissions, SSO/SAML on Enterprise, and audit logs give you full visibility into who accessed what and when.

privacy

Privacy and control

Hybrid architecture

SDKs run inside your infrastructure. Only causal event metadata — timing, span relationships, service identifiers — leaves your network. The raw request never does.

Causal intelligence, not data hoarding

Incidentary builds causal chains from structural signals. It does not need your business data to do it. The less sensitive data it touches, the better it works.

Minimal exposure by design

Shared trace links contain the causal chain and service topology. They do not contain environment variables, secrets, headers, or payload content.

network boundary

stays in your infra

  • request/response bodies
  • query results & payloads
  • environment variables
  • headers & secrets

reaches incidentary

  • span timing & duration
  • service identifiers
  • causal relationships
  • error status codes

responsible disclosure

Report a security issue

If you believe you have found a security vulnerability in Incidentary, please report it responsibly. We take every report seriously and will acknowledge receipt within two business days.

Email: security@incidentary.com

Please include

  • Description of the vulnerability
  • Steps to reproduce
  • Affected URLs, endpoints, or services
  • Your contact information
vulnerability ack< 2 business days
data deletionwithin retention window close
sdk source100 % open, Apache 2.0
legal safe harboryes — responsible reporters

We will not take legal action against researchers who report vulnerabilities responsibly. If you are unsure whether something qualifies, send it anyway — we would rather hear about it.

get started

Trust starts with transparency.

The SDKs are Apache 2.0. The security model is documented here. When you are ready, the free plan captures a complete incident.

Start freeview SDKs on GitHub →