Enterprise-Grade Security & Compliance

Overview

OpenObserve is a lightweight, highly scalable observability platform built for secure, petabyte-scale logs, metrics, and traces. Security is embedded in our architecture and day-to-day operations, enabling you to adopt OpenObserve with confidence in regulated and enterprise environments.

Supported Projects & Versions

OpenObserve consists of multiple distributions:

• OpenObserve (OSS): The open-source core available in our GitHub repository
• OpenObserve Enterprise: Commercial features built on top of the open-source foundation
• OpenObserve Cloud: Our fully-managed hosted service

We provide security fixes for the current stable release. Pre-release builds (main branch, release candidates) are supported on a best-effort basis.

Security Architecture

Zero Trust Architecture

OpenObserve implements zero trust principles through:

• Integration with leading zero trust providers like Cloudflare
• Continuous verification of all users and devices
• Microsegmentation of network resources
• Context-aware access policies
• No implicit trust based on network location

Access Control & Identity Management

Authentication

• API tokens and keys for secure ingestion and query operations
• Per-organization scoping for multi-tenant environments
• Token rotation policies with configurable expiration

Authorization

• Role-Based Access Control (RBAC) for granular permissions
• User, team, and token-level access management
• Least privilege principle enforcement

Single Sign-On (SSO)

• SAML 2.0 support for enterprise identity providers
• OpenID Connect (OIDC) integration
• OAuth 2.0 authentication flows
• Support for major identity providers including:
  • LDAP and Active Directory
  • GitHub, GitLab, Google
  • LinkedIn, Microsoft
  • Okta, Auth0, Keycloak
  • Any SAML 2.0 or OIDC-compliant provider

Multi-Tenancy & Isolation

• Logical separation through organizations and streams
• Resource quotas and rate limiting per tenant
• Network-level isolation options for strict compliance requirements
• Dedicated infrastructure options for enterprise customers
• Complete environment isolation with separate AWS accounts for:
  • Development environments
  • Staging environments
  • Production systems
  • Audit and compliance logs
  • Log storage and archival

High Availability & Resilience

Compliance & Trust

Personnel Security

Background Verification

• Comprehensive background checks for all employees (where legally permitted)
• Reference verification and employment history validation
• Ongoing monitoring for security-sensitive roles

Security Training

• Mandatory security and privacy training during onboarding
• Annual refresher training for all team members
• Role-specific security training for:
  • Engineers: Secure coding practices and vulnerability management
  • Operations: Incident response and system hardening
  • Support: Data handling and customer privacy

Access Management

• Principle of least privilege
• Regular access reviews
• MFA requirement for all employees

Physical Security

Cloud Infrastructure Security

OpenObserve Cloud leverages the physical security controls provided by leading cloud service providers (CSPs) including AWS, Azure, and GCP. These providers maintain comprehensive physical security measures that meet or exceed industry standards.

CSP-Provided Security Controls

Our cloud infrastructure benefits from:

• AWS: SOC 1/2/3, ISO 27001/27017/27018 certified data centers
• Azure: ISO 27001, HIPAA, FedRAMP certified facilities
• GCP: ISO 27001, SOC 2/3, PCI DSS compliant data centers

Data Center Security Features

Through our CSP partnerships, we inherit enterprise-grade physical security:

• 24/7 security personnel and video surveillance
• Biometric and multi-factor access controls
• Mantrap entry systems and security checkpoints
• Regular third-party security audits and certifications
• Compliance with regional and industry-specific standards

Environmental Controls

CSP data centers provide:

• Redundant power systems with backup generators
• Climate control with N+1 HVAC systems
• Fire detection and suppression systems
• Water leak detection and flood prevention
• Seismic bracing in earthquake-prone regions

Media Security

• Secure media destruction following NIST 800-88 guidelines
• Encrypted storage devices by default
• CSP-managed decommissioning with certificates of destruction
• No physical media access in cloud environments

Compliance Inheritance

By leveraging CSP infrastructure, OpenObserve Cloud customers automatically benefit from:

• Regular compliance audits (SOC 2, ISO 27001, PCI DSS)
• Physical security controls that meet regulatory requirements
• Transparent security practices through CSP compliance reports
• Continuous improvements in physical security measures

Self-Hosted Deployments

• For self-hosted OpenObserve deployments, physical security is the responsibility of the customer and should align with organizational security policies and compliance requirements.

Platform Security Features

Privacy & Data Governance

Data Retention

• Configurable retention policies per stream or index
• Automated data deletion on schedule
• Compliance with data minimization principles
• Backup retention separate from primary data

Data Residency

• Self-hosted: Complete control over data location
• Cloud hosted:
  • US regions: Ohio (us-east-2)
  • EU regions: Coming soon
  • APAC regions: Coming soon

Right to Erasure

• Support for GDPR Article 17 compliance
• Granular deletion by organization or stream
• Documented procedures for data removal
• Verification of deletion completion

Secure Development Lifecycle

Code Security

• Mandatory code reviews for all changes
• Static application security testing (SAST)
• Software composition analysis for dependencies

Vulnerability Management

• Regular security patching schedule
• CVE tracking and prioritization
• Responsible disclosure program
• Security advisory notifications

Build & Supply Chain Security

• Reproducible builds with pinned dependencies and build tools
• Version pinning for all dependencies to ensure deterministic builds
• Software Bill of Materials (SBOM) available in our GitHub repository for all supported releases
• Use of distroless containers to minimize attack surface
• Public verification through GitHub Actions logs - all release builds are publicly auditable

Security Updates

• Proactive dependency updates and security fixes in patch releases
• Security-relevant changes highlighted in release notes
• Security advisories published via GitHub (GHSA) and CVE databases
• Critical patches deployed within 48 hours of disclosure

Testing & Quality Assurance

• Automated security testing in CI/CD
• Automated monthly penetration testing

Incident Response

Shared Responsibility Model

OpenObserve Provides:

• Secure software with security-by-default configurations
• Authentication and authorization frameworks
• Encryption capabilities and key management interfaces
• Audit logging and monitoring capabilities
• Security patches and updates
• Compliance certifications and attestations

Customer Responsibilities:

• Identity and access management configuration
• Network security (VPC, firewalls, WAF)
• Secret and credential management
• Data classification and retention policies
• Endpoint security for client systems
• Monitoring and responding to security events

Security Best Practices Checklist

• Initial Setup
• Enable TLS 1.2+ for all connections
• Configure SSO with your identity provider
• Enforce multi-factor authentication
• Set up network access controls (IP allowlisting)
• Access Management
• Create role-based access controls
• Generate scoped API tokens for each service
• Implement quarterly token rotation
• Regular access reviews and cleanup
• Data Protection
• Configure retention policies per stream
• Enable field redaction for sensitive data
• Set up encryption at rest
• Implement backup and recovery procedures
• Monitoring & Compliance
• Enable comprehensive audit logging
• Set up security alerts and notifications
• Monthly audit log reviews
• Document security procedures and runbooks

Vulnerability Disclosure

What to Include in Reports

• Clear description of the vulnerability and its impact
• Affected components (repository, package, service)
• Version numbers and environment details
• Reproducible steps or proof of concept (non-destructive)
• CVSS v3.1 score estimation (if available)
• Any relevant logs, screenshots, or traces

Vulnerability Scope

Responsible Testing Guidelines

• Use test or your own accounts/data only; avoid accessing others' data
• Avoid actions that degrade service for other users (no volumetric/DoS)
• Limit testing on OpenObserve Cloud to non-production accounts and data
• Do not run automated scanners against OpenObserve Cloud without prior coordination
• Respect rate limits and legal boundaries in your jurisdiction
• If you discover sensitive data exposure, stop testing immediately and report privately

Coordinated Disclosure

We request a 90-day disclosure window by default. We may extend this for complex fixes or cross-vendor coordination. We publish advisories via GitHub Security Advisories (GHSA) and CVE where applicable, crediting reporters who wish to be named.

Safe Harbor

We support good-faith research. If you:

• Follow this policy
• Avoid privacy violations, data destruction, and service disruption
• Report vulnerabilities promptly and do not abuse them

We will not pursue or support legal action against you. This safe harbor does not cover unlawful actions, uncoordinated testing on production systems, or use of data beyond what's necessary to demonstrate the issue.

Recognition

• Credit in security advisories (with permission)
• Inclusion in our security hall of fame
• Thank you swag for significant findings

Bug Bounty Program

At this time, we do not operate a public bug bounty program. We are grateful for responsible disclosures and, with your consent, will credit you in release notes or advisories. From time to time we may offer thank-you swag. If a bounty program is introduced in the future, we will update this policy accordingly.

Reporting Fraud & Abuse

When to Report:

Please report the following types of incidents immediately:

• Phishing attempts using OpenObserve branding
• Unauthorized use of OpenObserve accounts or infrastructure
• Suspicious activity on OpenObserve Cloud affecting your organization
• Copyright or trademark infringement
• Abuse of OpenObserve services for malicious purposes
• Spam or harassment originating from OpenObserve systems
• Account abuse or suspicious activity affecting OpenObserve Cloud

How to Report

• Email: abuse@openobserve.ai
• For active incidents: Include "URGENT" in the subject line
• For OpenObserve Cloud: Include affected organization ID and timestamps

What to Include

• Description of the fraudulent or abusive activity
• Screenshots or evidence of the abuse
• Timestamps and relevant URLs
• Account information if known
• Any communications received

Our Response

• Initial acknowledgment: Within 24 hours
• Investigation: We will investigate all credible reports
• Action: Appropriate measures including account suspension, legal action, or law enforcement referral
• Follow-up: Status updates for the reporter when possible

Zero Tolerance Policy

• OpenObserve maintains a zero-tolerance policy for:
• Use of our platform for illegal activities
• Attempts to compromise other users' data
• Distribution of malware or malicious code
• Violation of our Terms of Service or Acceptable Use Policy

Security Contacts

• Primary: security@openobserve.ai
• Backup: GitHub Security Advisory via "Report a vulnerability" button
• Abuse/Fraud: abuse@openobserve.ai
• General Support: support@openobserve.ai

Additional Resources

• Security Policy on GitHub
• Release Notes and Security Updates

---

Last Updated: August 2025

OpenObserve is committed to maintaining the highest standards of security and compliance. This document is regularly updated to reflect our current security posture and practices.