Security and trust at Ionhour
Ionhour is built to be a low-risk vendor: we watch the endpoints and cron jobs you point us at — we never touch your application’s data. This page explains what we store, how we protect it, and who processes it.
What Ionhour Stores
Monitoring configuration
Check names, endpoint URLs, schedules, and grace periods — the definitions you create.
Heartbeat signals
Timestamps and status results from your checks. No payloads, no application data.
Alert contacts
The email addresses and phone numbers you configure to receive notifications.
Account and billing basics
Your name, work email, and subscription state. Card details never touch our servers — Paddle processes payments as merchant of record.
Certifications & Standards
ISO 27001
Infrastructure — AWS
SOC 2 Type II
Infrastructure — AWS
GDPR
Self-serve DPA for all customers
CCPA / CPRA
California privacy rights honoured
ISO 27001 and SOC 2 Type II are held by our infrastructure provider, Amazon Web Services. Ionhour aligns its own controls with these frameworks and publishes its practices on this page.
Product Security
Controls built into the Ionhour platform itself, protecting every workspace by default.
- Two-factor authentication and passkeys
- Role-based access control (Owner, Admin, Member, Viewer)
- Workspace isolation enforced on every query
- Global rate limiting on all API endpoints
- Scoped, revocable API keys
Infrastructure
The platform runs on certified cloud infrastructure with encryption everywhere.
- Hosted on Amazon Web Services (SOC 2, ISO 27001 certified)
- TLS 1.2+ for all data in transit
- AES-256 encryption at rest
- Cloudflare DDoS protection in front of every endpoint
- Isolated staging and production environments
Data & Privacy
Minimal collection, clear contracts, and full control over your data lifecycle.
- GDPR-ready DPA for every customer
- 15-day advance notice of sub-processor changes
- Data deletion on account closure
- Minimal, purpose-bound data collection
- No sale of personal data — ever
Organizational
How the team behind Ionhour handles access, incidents, and outside researchers.
- Need-to-know access to production systems
- Confidentiality agreements for all personnel
- Documented incident response procedures
- Periodic penetration testing and security reviews
- Vulnerability disclosure program with safe harbour
Sub-processors
Ionhour uses a short list of vetted providers to run the service. We notify customers at least 15 days before any change to this register — the contractual copy lives in our Data Processing Agreement.
| Sub-processor | Purpose |
|---|---|
| Cloudflare | CDN, DNS, DDoS protection, and traffic optimization |
| Amazon Web Services | Cloud infrastructure, hosting, data processing, and SMS alert delivery (SNS) |
| Paddle | Merchant of record — payment processing and billing |
| Postmark | Transactional email delivery |
| PostHog | Product analytics |
| Google (Google Analytics) | Web traffic analytics on the marketing site |
| Twilio | Voice call alert delivery |
| OpenRouter | AI query processing for MCP features |
| Ubicloud | CI/CD pipeline operations |
Policies & documents
Vendor questions,
answered up front.
The answers vendor reviews ask for most. Something missing? Email security@ionhour.com and we’ll get you an answer.
Read the disclosure policy