Skip to content
ObserverSecurity

Security model: your data stays in your network.

The agent runs inside your infrastructure and pushes only the verdict outbound. Raw metrics, queries, and credentials have no path to Observer's cloud.

Most monitoring tools work by pulling data into a SaaS cloud. Observer inverts that: a self-hosted agent pulls data inside your network and pushes only the computed result outward. The threat surface shrinks to what the result tells an attacker, which is the same thing your customers already see on the status page.

Data boundary

What leaves your network, what stays.

The boundary is the agent process. Everything that crosses it is listed here.

leaves

The computed verdict (healthy / degraded / unhealthy)

leaves

The metric value at verdict time

leaves

Timestamp of the check

leaves

Agent version and uptime heartbeat

stays

PromQL query text

stays

Raw metric values outside of verdict pushes

stays

Log file contents

stays

Database connection strings

stays

TLS private keys or client certificates

stays

AWS credentials or role ARNs

Architecture

Outbound-only, no inbound surface.

The agent is the only component that runs inside your network. It initiates; it does not listen.

Outbound-only agent
The Observer agent opens no inbound ports. It initiates outbound connections to push verdicts; nothing in your network listens for Observer. Firewall rules never need to whitelist an inbound Observer IP.
Verdicts leave, not raw data
PromQL queries, log patterns, and database queries run inside your network. The agent evaluates them against your thresholds and sends only the result: healthy, degraded, or unhealthy. The query text and raw metric value stay local.
Connection strings stay on the agent host
For database probes, you export the DSN to the agent's environment as an env var. The console stores only the variable name. Observer has no path to the connection string itself.
Query redaction in logs
When the agent writes diagnostic logs, PromQL query text is replaced with a SHA-256 prefix and a character count. The raw query never appears in log lines regardless of the log broadcast setting.
Key handling

Credentials that cannot be retrieved.

Agent keys are high-entropy tokens hashed on arrival. Rotation is graceful. Webhook deliveries carry a verifiable signature.

SHA-256 hashed, never stored raw
Agent keys are 32 bytes from crypto.randomBytes, formatted as obs_live_<43 base64url chars>. The cloud stores only the SHA-256 hash. The raw key is shown once at creation and cannot be retrieved afterward.
Rotation with grace overlap
When you rotate an agent key, the previous key remains valid until its grace window closes. Agents already in the field keep working without a restart; the new key takes effect immediately in parallel.
Outbound webhook HMAC signatures
Every outbound webhook delivery is signed with HMAC-SHA-256 against the subscription's secret. The signature ships as X-Observer-Signature with a timestamp bound to prevent replay.
Audit and isolation

Tenant boundaries and evidence.

Tenant isolation is enforced in application code. Actions are logged. Status history is signed and externally anchored.

Tenant isolation in application code
Every server action resolves the active organisation from the Clerk session and filters every query to that org_id. There is no row-level security that can be bypassed by a pool credential; the enforcement is in code.
Audit log
Every destructive or sensitive action is written to an append-only audit_log table: who did what, from which IP, and when. Exportable from the console.
Signed status-flip history
Status flip events are Ed25519-signed and hash-chained per organisation. The chain is anchored to the Bitcoin blockchain via OpenTimestamps. A third party can verify the chain without trusting Observer. Note: the signature defeats external tampering; an Observer operator could still alter records, which is why the external anchor exists.
Open source agent
The agent is Apache 2.0. Security teams can read every line that runs inside their network, audit the probe code, and build from source.
Open source

The agent is Apache 2.0. Security teams can read every line that runs inside their network, audit probe behaviour, and build from source. There is no proprietary binary in your infrastructure.

github.com/useobserver/agent