Sentry

Last updated · May 8, 2026

Security at Sentry

Security isn't a layer we add — it's the product. This page summarizes how we build, operate, and report on the security of Sentry by Dark Rock Labs.

Architecture

  • Multi-tenant isolation — every data row carries a tenantId and is protected by Postgres Row-Level Security policies, not just application checks.
  • Encryption in transit — TLS 1.3 on every public endpoint; HSTS preload-eligible.
  • Encryption at rest — AES-256 (Supabase / Vercel managed storage).
  • Secret management — secrets live only in Vercel environment variables; nothing in the repo, nothing in logs.
  • Least-privilege auth — Supabase Auth + Postgres roles; service-role keys never reach the browser.

Application security

  • Server actions enforce session checks and tenant scoping on every request.
  • Strict security headers: CSP, X-Frame-Options DENY, X-Content-Type-Options nosniff, Permissions-Policy, Referrer-Policy strict-origin-when-cross-origin.
  • HTML sanitization (sanitize-html) on every untrusted HTML render.
  • Dependency scanning via GitHub Dependabot; high-severity advisories fixed within 7 days.

Sub-processors

  • Vercel Inc. — application hosting and edge delivery.
  • Supabase Inc. — Postgres database, authentication, object storage.
  • Resend Inc. — transactional email.

We notify administrators of material sub-processor changes at least 30 days in advance.

Operational practices

  • Backups — automated daily snapshots with point-in-time recovery to 7 days.
  • Logging — request logs retained 30 days; security audit logs retained 12 months.
  • Incident response — 24-hour notification target for confirmed security incidents affecting Customer Data.
  • Change management — every production change ships through a PR with code review and automated checks.

Compliance roadmap

  • SOC 2 Type II — observation period in progress (target completion Q4 2026).
  • ISO 27001 — controls mapped; certification audit scheduled Q1 2027.
  • HIPAA — BAA available for Enterprise customers handling PHI.
  • GDPR / UK GDPR / CCPA — DPA available at contract signing.

Reporting vulnerabilities

We welcome reports from the security community. Email security@darkrocksecurity.com or use our PGP key (fingerprint available on request). We commit to acknowledging reports within 2 business days and providing a status update within 7 days. We do not pursue good-faith researchers who follow responsible disclosure.

Trust portal

Customers and prospects under NDA may request SOC 2 reports, penetration-test summaries, and our latest sub-processor list at trust@darkrocksecurity.com.