uokay monitors production systems and holds API keys on behalf of customers. This page describes how that data is protected.
Your API keys (bring-your-own-key)
- Keys are encrypted at rest with AES-256-CBC with HMAC integrity validation. The encryption key lives in the application environment, not in the database.
- Keys are decrypted only in memory, at the moment a check executes, and only to call the endpoint you configured. Decrypted values are never written to logs — log output redacts secrets by type.
- The dashboard shows only the last four characters of a key. Keys can be rotated or revoked at any time; monitors using a revoked key stop with a configuration error rather than falling back to another credential.
- Judge-model calls for LLM-as-judge assertions use your key on your account, so no responses are ever routed through third-party accounts.
Infrastructure
- Checks execute from EU-based compute (Hetzner, Falkenstein, Germany). The database is managed Postgres in an EU region (Supabase eu-central). Public status pages render at the Cloudflare edge.
- All traffic is TLS-encrypted in transit, including internal connections between the check runner, the database, and the application.
- Production access is limited to the operator, uses SSH keys only, and every component is deployable without downtime so security patches ship fast.
Application
- Passwords are hashed with bcrypt. Two-factor authentication (TOTP) is available on every account.
- Authentication endpoints and the heartbeat ingestion endpoint are rate limited.
- Role-based access controls separate owner, admin, and member permissions inside a team.
- Check results are retained only for your plan's retention window, then deleted automatically.
Payments
Payments are processed by Mollie B.V. (Netherlands). Card and bank details never reach our servers.
Reporting a vulnerability
Found a security issue? Email [email protected]. We respond within 48 hours, and we do not pursue legal action against good-faith research.