Compliance

Built for compliance.
Not bolted on.

HostAtlas is designed from the ground up to meet compliance requirements. GDPR data isolation, SOC 2-aligned controls, role-based access, immutable audit trails, EU data residency, and automated incident documentation. Compliance is a first-class concern, not an afterthought.

Start free — no credit card See compliance details

GDPR

Data protection by design

SOC 2

Aligned security controls

RBAC

4 roles, precise permissions

EU

Data residency available

GDPR

Data protection by design and by default.

HostAtlas complies with the EU General Data Protection Regulation. We process only the data necessary for infrastructure monitoring, enforce strict tenant isolation, and provide tools for data access, export, and deletion. Data minimization is a core principle, not a policy addition.

shield

Data Isolation

Every team's data is isolated at the database query level using global scopes. Servers, metrics, logs, incidents, and configurations cannot cross team boundaries. This is enforced in code, not configuration.

delete_forever

Right to Erasure

Delete your account and all associated data. When a team is deleted, all servers, metrics, logs, incidents, dashboards, and member records are permanently purged from all storage systems including backups within 30 days.

download

Data Export

Export all your data at any time in JSON or CSV format. Servers, metrics, logs, incidents, alert rules, dashboards, and team configurations. Data portability is a GDPR right and HostAtlas makes it straightforward.

data_exploration

Data Minimization

We collect only what is necessary for infrastructure monitoring. No user behavior tracking. No advertising data. No third-party analytics on the dashboard. The agent collects system metrics and logs — nothing more.

description

Data Processing Agreement

Enterprise customers can sign a DPA that defines data processing terms, sub-processors, breach notification procedures, and data deletion obligations. Available upon request for Business and Enterprise plans.

visibility

Lawful Basis

We process personal data (email addresses, IP addresses in logs) under legitimate interest for providing the monitoring service and under contract for the service agreement. Consent is obtained where required.

SOC 2 Alignment

Security controls aligned with SOC 2 trust principles.

HostAtlas implements security controls aligned with the SOC 2 trust service criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. While we are not yet SOC 2 certified, our infrastructure, processes, and engineering practices follow these principles.

check_circle

Audit Logging

Every significant action is recorded in an immutable audit log: who did what, when, from which IP address. Audit logs cannot be modified or deleted by any user, including administrators.

check_circle

Access Controls

Role-based access control with four granular roles. Two-factor authentication. API key scoping. Session management with encrypted, HTTPOnly, secure cookies.

check_circle

Encryption

Data encrypted in transit (TLS 1.3) and at rest (AES-256). Agent communications signed with HMAC-SHA256. Tokens stored as SHA-256 hashes. Passwords hashed with bcrypt.

check_circle

Change Management

All code changes go through pull request review. Deployments are automated via CI/CD. Infrastructure changes are tracked and audited. Rollback procedures are documented and tested.

Audit Trail Example

server.created 2m ago

sascha@example.com — 185.220.x.x

Server "prod-web-03" added to team

alert_rule.updated 14m ago

sascha@example.com — 185.220.x.x

CPU threshold changed from 90% to 85%

team_member.invited 1h ago

sascha@example.com — 185.220.x.x

Invited dev@example.com as Member

api_key.created 3h ago

sascha@example.com — 185.220.x.x

Created "deploy-key" with deploys:write scope

attack_mode.enabled 6h ago

sascha@example.com — 185.220.x.x

Under Attack Mode enabled on "prod-web-01"

Immutable. Cannot be modified or deleted by any user.

Role-Based Access

Owner, Admin, Member, Viewer.

Four roles with precise permission boundaries. Every API call and UI action is checked against the user's role. Least privilege is enforced by default — users can only access what their role explicitly allows.

Permission Owner Admin Member Viewer
View servers, services, domains check check check check
View metrics, logs, incidents check check check check
Create dashboards, alert rules check check check close
Run recipes, execute commands check check check close
Manage notification channels check check close close
Manage API keys, webhooks check check close close
Invite and remove team members check check close close
Billing, plan changes, team deletion check close close close

Data Residency

EU hosting available. Data stays where you need it.

HostAtlas infrastructure is hosted in the European Union. All metrics, logs, incidents, and team data reside in EU data centers. For organizations with data residency requirements, this ensures your monitoring data never leaves the EU. We do not transfer data to non-EU countries for processing.

check_circle

All data stored in EU data centers

check_circle

No cross-border data transfers for processing

check_circle

Infrastructure hosted on Hetzner (Germany & Finland)

check_circle

Offsite backups stored on Hetzner S3 (EU)

Data Flow

Your Servers (anywhere)

Agent sends metrics via TLS 1.3

HostAtlas Platform (EU)

PostgreSQL

Germany

ClickHouse

Germany

Object Storage

Finland

Backups

Germany

Incident Response & Transparency

Automated detection. Documented response. Public transparency.

HostAtlas provides automated incident detection, structured documentation, and public status pages. When compliance auditors ask how you handle incidents, you'll have a complete, timestamped record of every detection, notification, and resolution.

emergency

Incident Response

HostAtlas creates incidents automatically from alert rules, tracks timeline events, and documents resolution steps. Every incident includes: detection time, notification log, affected resources, timeline of status changes, and resolution summary.

check_circle

Automatic detection from metric thresholds

check_circle

Structured timeline with timestamps

check_circle

Notification audit log (who was notified, when)

check_circle

Post-incident export for compliance documentation

public

Status Pages

Public or private status pages for your customers. Incidents are reflected automatically. Your customers see real-time uptime, response times, and incident history — demonstrating transparency and building trust. Required by many compliance frameworks.

check_circle

Custom domain support (status.yourapp.com)

check_circle

Automatic incident updates from alert rules

check_circle

Uptime and response time graphs

check_circle

90-day incident history

Get Started

Compliance-ready monitoring. Every plan.

HostAtlas includes GDPR compliance, RBAC, audit logging, encryption, and data residency on every plan. Enterprise customers get additional DPA support, custom retention policies, and dedicated compliance assistance. Free for up to 3 servers.

Start free — no credit card Security overview