1 Purpose & scope
This policy defines how Fivenines protects the confidentiality, integrity, and availability of the Service and of the data customers entrust to it. It applies to the fivenines.io platform, the open-source monitoring agent, the production infrastructure they run on, and everyone who operates them.
Policy Owner
Founder, fivenines.io (France)
Security Contact
2 Governance & personnel
- Accountability at the top - The founder acts as security officer: accountable for this policy, access decisions, and incident handling.
- Confidentiality - Everyone with access to production systems or customer data is bound by confidentiality obligations.
- Least privilege - Access is granted on a need-to-use basis and revoked when no longer required.
- Workstation security - Workstations used to operate the Service must use full-disk encryption and automatic screen locking.
3 Data classification & handling
We classify the data we hold into three classes, each with defined handling rules. Personal data within any class is processed under the GDPR, as described in our Privacy Policy.
| Class | What it includes | How we handle it |
|---|---|---|
| Account & billing | User names, work emails, organization details, invoices | Personal data under the GDPR. Access restricted to operating personnel. Card processing is fully delegated to Stripe - we never store card numbers. |
| Monitoring telemetry | Hostnames, server IP addresses, process names, resource metrics, security events (e.g. fail2ban ban statistics, including banned IPs) | Customer-confidential; some fields qualify as personal data under the GDPR. Ingested over TLS only, isolated per organization, retained per plan, never sold. |
| Secrets & credentials | Enrollment tokens, per-host agent tokens, API keys, optional integration credentials | Minimum scope, revocable at any time. The most sensitive fields (e.g. network device SNMP credentials) are additionally encrypted at the application layer. |
What we do not collect - by design:
- No file contents, no environment variables, no database rows or application data
- No cardholder data and no health data - Fivenines monitors infrastructure, not payloads
- The agent's exact read surface is documented on the Agent security page
Customers must not place regulated data (such as cardholder data or health information) in free-text monitoring fields like hostnames or labels.
4 Access control & authentication
- Multi-tenant isolation - Every record is scoped to an organization, and authorization is enforced at the application layer on every request.
- Role-based access - Owner, admin, and member roles limit what each user can see and change inside the product.
- Single sign-on - SAML SSO is available so organizations can enforce their own identity provider policies, including MFA.
- Authentication - User passwords are hashed with bcrypt; sessions are HTTPS-only.
- Production access - Limited to named, authorized personnel over SSH with key-based authentication. Shared accounts are not used.
5 Encryption
- In transit - All traffic to fivenines.io - dashboard, API, and agent ingestion - is served exclusively over TLS, with HSTS enforced.
- At rest - Production data and backups are encrypted at rest.
- Application layer - High-sensitivity credential fields (e.g. SNMP credentials) are additionally encrypted per attribute with Active Record Encryption.
- Passwords - Stored only as one-way bcrypt hashes, never in plain text.
6 Agent security model
Monitoring agents run inside customer infrastructure, so the agent is designed to be inspectable and inert:
- Push-only - The agent makes outbound HTTPS requests to fivenines.io. No inbound listener, no open port, ever.
- No remote control - No shell, no command execution, no file access. Fivenines cannot reach into a monitored server.
- Open source - The full agent code is public at github.com/Five-Nines-io/fivenines_agent, so what runs on your servers is auditable.
- Least privilege - A user-level install is available on Linux; on Windows the agent runs as a dedicated local service account.
- Per-host credentials - Each host authenticates with its own token; enrollment tokens can be revoked at any time, and deleting a host invalidates its credentials.
The full model, including what the agent reads and its hard limits, is documented on the Agent security page.
7 Secure development & change management
- Review before merge - Every change ships through a pull request with review and a comprehensive automated test suite.
- Staging first - A dedicated staging environment is maintained for pre-production validation of risky changes.
- Self-hosted observability - Errors and performance are tracked with a self-hosted Sentry instance - our error and performance telemetry does not leave our infrastructure.
- Dependency hygiene - Dependencies are kept current, and security advisories for our stack are monitored.
8 Vulnerability management & responsible disclosure
- Patching - Production systems are regularly patched and hardened.
- We run Fivenines on Fivenines - Our own servers are monitored with the product, including its package vulnerability (CVE) scanning.
- Responsible disclosure - Report vulnerabilities to security@fivenines.io. We acknowledge reports within 3 business days, keep reporters informed, and do not pursue legal action against good-faith research.
9 Incident response & breach notification
- Detect - Alerting on our own monitoring plus self-hosted error tracking.
- Respond - Triage, contain, remediate - with a root-cause review after every significant incident.
- Communicate - Service incidents are published on status.fivenines.io.
- Personal data breaches - As a French data controller we notify the competent supervisory authority (CNIL) within 72 hours where required by GDPR Art. 33, and affected customers without undue delay (Art. 34).
10 Backups & business continuity
- Backups - Production data is backed up on a rolling schedule; backups are encrypted and purged on expiry.
- Recovery - The production stack is containerized and can be redeployed from source and backups.
- EU infrastructure - Core systems and data stores run in EU datacenters (Hetzner). Optional uptime checks run from a small global probe network, so availability is measured from your users' regions.
11 Sub-processors & vendor management
- Small, vetted set - We use a small number of providers, each bound by data-protection commitments appropriate to what it processes.
- Authoritative list - The current provider list and purposes are maintained in the Privacy Policy.
- Review before use - New vendors are reviewed for security posture and data-protection terms before any customer data reaches them; we prefer EU-based or EU-hosted options.
12 Data retention & deletion
- Metrics - Retained while your account is active; plans define a retention window (6 to 24 months), and older data may be downsampled or expired.
- Logs - Security and diagnostic logs are typically retained ~30 days.
- Account deletion - Deleting an organization removes all associated data, including the time-series history, through an automated deletion pipeline.
- Inactive accounts - May be deleted after 24-36 months of inactivity, with reasonable notice.
13 Compliance & policy review
- GDPR - We operate as a French data controller under CNIL supervision; legal bases and data subject rights are described in the Privacy Policy.
- PCI DSS - Card payments are fully delegated to Stripe; Fivenines never stores or processes cardholder data.
- HIPAA - Fivenines is infrastructure monitoring and is not designed to receive health data; we do not sign BAAs.
- Review cadence - This policy is reviewed at least annually, and after any material change to the Service. Every revision is recorded in the changelog below.
14 Changelog
2026-07-10
Initial public draft.
Note: This document describes our current practices and commitments. It is provided for informational purposes and does not constitute a contractual guarantee unless referenced in your agreement.
Questions about security?
Contact us at
security@fivenines.ioSee also our Privacy Policy