Security and governance controls for enterprise observability.

Identity and access

• Organization roles for owner, admin, and member access
• Team membership with lead and member roles for service ownership
• Owner-only owner management and last-owner protection
• Invitation management for adding users to an organization
• Authenticated dashboard, admin, and API surfaces kept out of public search indexing

Audit and accountability

• Audit log for access changes, invitations, role changes, and team membership changes
• Audit log for monitor, service, SLO, dependency, alert channel, routing, and API key changes
• Audit log for incident acknowledgement, notes, resolution, post-incident reviews, and review action items
• CSV and JSON audit export when enabled by organization policy
• Alert delivery logs for notification attempts and channel outcomes
• Post-incident reviews with timeline, impact, root cause, published status, and action items

Key and telemetry handling

• Telemetry API keys are generated with strong random values
• Raw API keys are shown once at creation and stored only as SHA-256 hashes
• Revoked keys are rejected by ingestion authentication
• OTLP JSON ingestion is scoped to the authenticated organization key
• DB-backed rate limits protect telemetry ingest, agent ingest, heartbeat, and GitHub webhook endpoints
• GitHub webhook signatures are verified and delivery IDs are idempotently tracked
• Trace, metric, log, and agent telemetry data is organized under the owning organization

Operational reliability

• Multi-region synthetic checks for availability and latency visibility
• Failure and recovery thresholds to reduce alert noise
• Service catalog, owner teams, SLOs, and dependency mapping
• Maintenance windows to suppress planned-work alerts
• Escalation policies with primary and secondary routing
• On-call schedules with responder rotations and temporary overrides
• Verified integration lifecycle separates configured setup from connected provider delivery
• Root and dashboard error boundaries keep unexpected view failures from exposing raw stack traces

Customer communication

• Hosted public status pages for monitored services
• Incident timelines and responder notes for internal coordination
• Post-incident review publishing for follow-through
• Plain-language incident summaries and AI-assisted post-incident review drafts
• Service dependency context for downstream impact review
• Tenant export and deletion requests with auditability, worker processing, and deletion tombstones

Deployment architecture

• Next.js web application separated from the probe and alert worker
• Managed PostgreSQL database with Drizzle schema and migrations
• Database-backed incident state, queued alert delivery, integration delivery logs, and tenant lifecycle processing
• Server-side guarded egress for outbound monitor checks
• NEXUS AI deployment target with managed web, worker, and database services

Important note

Compliance claims are intentionally precise.

AImonitoring has enterprise security and governance controls in the product, but this page does not claim SOC 2, ISO 27001, HIPAA, or FedRAMP certification. Formal certifications should be treated as future compliance work until completed.

Enterprise roadmap

Next controls for larger buyers

• SAML/SSO for enterprise identity providers
• SCIM provisioning for automated user lifecycle management
• Formal SOC 2 readiness package and security questionnaire exports