Skip to main content
Ionhour
Trust Center

Security and trust at Ionhour

Ionhour is built to be a low-risk vendor: we watch the endpoints and cron jobs you point us at — we never touch your application’s data. This page explains what we store, how we protect it, and who processes it.

What Ionhour Stores

Monitoring configuration

Check names, endpoint URLs, schedules, and grace periods — the definitions you create.

Heartbeat signals

Timestamps and status results from your checks. No payloads, no application data.

Alert contacts

The email addresses and phone numbers you configure to receive notifications.

Account and billing basics

Your name, work email, and subscription state. Card details never touch our servers — Paddle processes payments as merchant of record.

Certifications & Standards

ISO 27001

Infrastructure — AWS

SOC 2 Type II

Infrastructure — AWS

GDPR

GDPR

Self-serve DPA for all customers

CCPA / CPRA

CCPA / CPRA

California privacy rights honoured

ISO 27001 and SOC 2 Type II are held by our infrastructure provider, Amazon Web Services. Ionhour aligns its own controls with these frameworks and publishes its practices on this page.

Product Security

Controls built into the Ionhour platform itself, protecting every workspace by default.

  • Two-factor authentication and passkeys
  • Role-based access control (Owner, Admin, Member, Viewer)
  • Workspace isolation enforced on every query
  • Global rate limiting on all API endpoints
  • Scoped, revocable API keys

Infrastructure

The platform runs on certified cloud infrastructure with encryption everywhere.

  • Hosted on Amazon Web Services (SOC 2, ISO 27001 certified)
  • TLS 1.2+ for all data in transit
  • AES-256 encryption at rest
  • Cloudflare DDoS protection in front of every endpoint
  • Isolated staging and production environments

Data & Privacy

Minimal collection, clear contracts, and full control over your data lifecycle.

  • GDPR-ready DPA for every customer
  • 15-day advance notice of sub-processor changes
  • Data deletion on account closure
  • Minimal, purpose-bound data collection
  • No sale of personal data — ever

Organizational

How the team behind Ionhour handles access, incidents, and outside researchers.

  • Need-to-know access to production systems
  • Confidentiality agreements for all personnel
  • Documented incident response procedures
  • Periodic penetration testing and security reviews
  • Vulnerability disclosure program with safe harbour

Sub-processors

Ionhour uses a short list of vetted providers to run the service. We notify customers at least 15 days before any change to this register — the contractual copy lives in our Data Processing Agreement.

Sub-processorPurpose
CloudflareCDN, DNS, DDoS protection, and traffic optimization
Amazon Web ServicesCloud infrastructure, hosting, data processing, and SMS alert delivery (SNS)
PaddleMerchant of record — payment processing and billing
PostmarkTransactional email delivery
PostHogProduct analytics
Google (Google Analytics)Web traffic analytics on the marketing site
TwilioVoice call alert delivery
OpenRouterAI query processing for MCP features
UbicloudCI/CD pipeline operations

Vendor questions,
answered up front.

The answers vendor reviews ask for most. Something missing? Email security@ionhour.com and we’ll get you an answer.

Read the disclosure policy

Monitor with confidence.

Free forever for individuals. Your data stays yours.