StillOnline?

Trust

StillOnline security

How StillOnline handles authentication, API keys, monitoring data, and platform status. Facts from production—no SOC2 claims.

Details

StillOnline is a hosted SaaS on a VPS in the EU (production: stillonline.tech, api.stillonline.tech). This page summarizes how we handle authentication, API keys, monitoring data, and incidents. For personal data processing, see our Privacy Policy.

Authentication

  • Sign-in: Google OAuth (Auth.js v5). We do not store passwords.
  • Sessions: HTTP-only cookies; dashboard routes require an authenticated session.
  • Subscribers on public status pages: Google Sign-In; email comes from the Google account.

API keys (Pro / Ultimate)

  • Keys are created in Settings → API (sk_live_… prefix).
  • Keys are stored hashed; the full secret is shown once at creation.
  • Revoke unused keys from the dashboard.
  • Rate limits: documented in API docs (per-key windows for private API; per-IP limits for public status JSON).

What we store

  • Account: Google profile fields needed for login and billing context.
  • Projects: names, descriptions, timezone, check URLs, probe results, incident history (per plan retention).
  • Checks: target URLs you configure; probe metadata (status code, latency, SSL expiry where enabled).
  • Alerts: owner alert channel settings (email, Telegram chat id, Slack webhook URL) — secrets are not exposed in public APIs.

We do not sell customer lists. See Privacy Policy for retention and rights.

Probes and infrastructure

  • HTTP/SSL checks run from StillOnline production probes (StillOnline-Probe/1.0 user agent).
  • Targets must be public HTTPS URLs; private IP and SSRF targets are rejected (validate-url applies).
  • Application and database run in Docker on a dedicated VPS; TLS terminates at nginx.

Email

  • Transactional mail from notify@stillonline.tech (Postfix on VPS, SPF/DKIM/DMARC configured).
  • Privacy contact: privacy@stillonline.tech.

Incidents and disclosure

  • Your incidents: you control messages on your public status pages.
  • StillOnline service incidents: we publish updates on Service status when the platform is affected.
  • Security issues: report to frenkyjuss@gmail.com (not a bug bounty program).

What we do not claim

  • No SOC 2 / ISO 27001 certification at this time.
  • No guaranteed SLA on the Free plan; paid plans are best-effort hosted SaaS as described in Terms.

Related

Security FAQ

How are API keys stored?
Keys are hashed at rest; the full secret is shown once at creation. Revoke unused keys in API settings.
Which URLs can I monitor?
Public HTTPS URLs only. Private IPs and SSRF targets are rejected by probe validation.
Where is StillOnline platform status published?
On the Service status page (/status)—live probes of our website and API when the service project is configured.