Security
How we protect your data
All data is encrypted in transit using TLS 1.3. API endpoints enforce HTTPS and reject insecure connections.
All stored data (analysis metadata, account data) is encrypted at rest using AES-256.
Raw log content submitted for analysis is processed in-memory and never written to disk.
API keys are hashed using bcrypt. We never store plain-text keys and display them only once at generation.
All admin actions, member changes, and API key operations are logged (Enterprise plan).
We are currently undergoing SOC 2 Type II certification. Expected completion Q3 2025.
Responsible disclosure
If you discover a security vulnerability, please email security@errorlens.ai with a detailed description. We will acknowledge your report within 24 hours and aim to resolve confirmed vulnerabilities within 30 days. We do not pursue legal action against good-faith security researchers.
Security Audit Summary
Last audit: March 2025
| Test | Status | Details |
|---|---|---|
| XSS (Cross-Site Scripting) | โ Protected | React JSX auto-escapes output. Invoice HTML uses explicit escHtml() sanitization. No dangerouslySetInnerHTML usage. |
| SQL / NoSQL Injection | โ N/A | Client-side SPA with no direct database queries. All data operations use localStorage or REST API with parameterized queries. |
| CSRF (Cross-Site Request Forgery) | โ Protected | API authentication via API key header (not cookies). SameSite=Strict cookie policy. |
| Brute Force (Login) | โ Protected | Account locks after 5 failed login attempts for 15 minutes. Rate limiting on API endpoints (60 req/min). |
| Password Security | โ Enforced | Minimum 6 characters, must contain letter + number. Bcrypt hashing (cost 12) in production. No plain-text storage. |
| Data Leakage | โ Mitigated | Raw logs processed in-memory only โ never persisted. API keys displayed once at creation. No third-party analytics. |
| Transport Security | โ Enforced | TLS 1.2+ required. HSTS with 1-year max-age. All external resources loaded over HTTPS. |
| CSP (Content Security Policy) | โ Configured | Strict CSP via meta tag: script-src limited to self + CDN domains. frame-ancestors: none. |
| Sensitive Data in localStorage | โ Acceptable Risk | Integration API tokens stored in localStorage (client-side only). Cleared on logout. Not transmitted to ErrorLens servers. |
| API Key Exposure | โ Architecture Note | In demo mode, API key is sent from browser. Production deployments should proxy API calls through a server-side endpoint. |
| 2FA | โ Available | TOTP-based two-factor authentication available on all plans via Settings โ Security. |
| Session Management | โ Secure | Cryptographically random session tokens. httpOnly, Secure, SameSite=Strict cookies. 24-hour expiry. |