Security is ongoing work at ChangeSentry. This page summarizes how we protect customer data, limit crawler risk, operate infrastructure responsibly, and handle vulnerability reports.
1. Encryption and transport
Production traffic is served over HTTPS. Managed storage providers provide encryption at rest, and authentication supports TOTP-based two-factor authentication for all accounts. Production notification secrets, such as Discord webhooks and Telegram bot tokens, should be encrypted at rest when the required secret configuration is present.
2. Data handling
We store the data needed to run monitors, deliver notifications, keep history, support users, and operate the service. Retention depends on plan limits and operational archive settings. See the Privacy Policy for more detail on categories, subprocessors, and retention. Business customers can review vendor usage on the Subprocessors and Vendors page and start DPA review from the DPA overview.
3. Crawler safeguards
The crawler is designed with SSRF protections, domain-aware rate limiting, robots.txt expectations, and monitor controls that let us pause abusive or risky checks. Customers are responsible for monitoring only pages they are authorized to watch.
4. Infrastructure and access
Production components run on managed cloud infrastructure. Administrative access follows least-privilege practices and is audited where applicable.
5. Compliance readiness
ChangeSentry is designed around GDPR, UK GDPR, and US privacy expectations, including data rights support, consent-aware cookies, and clear customer responsibilities. Read the GDPR overview and Cookie Policy for related detail.
6. Backup and recovery
Production data is stored on managed infrastructure with automated backup capabilities provided by our hosting and database providers. Backup retention and recovery objectives are subject to the terms and capabilities of those providers. ChangeSentry does not guarantee a specific recovery time or recovery point objective for all failure scenarios.
7. Security testing
ChangeSentry conducts periodic internal security reviews and relies on managed infrastructure providers that maintain their own security programs, certifications, and testing schedules. We do not currently hold a SOC 2 or ISO 27001 certification. If your organization requires a security questionnaire or vendor review, contact security@changesentry.com.
8. Incident communication and breach notification
When a service issue affects customers, we use product notices, support channels, and the public status page as appropriate to communicate impact and recovery. In the event of a confirmed personal data breach, ChangeSentry will notify affected customers and, where required by applicable law, the relevant supervisory authority within 72 hours of becoming aware of the breach, to the extent reasonably practicable. Notification will include the nature of the breach, categories and approximate number of individuals affected, likely consequences, and measures taken or proposed.
9. Vulnerability disclosure
If you believe you have found a security vulnerability, email security@changesentry.com with details, affected URLs, steps to reproduce, and any relevant screenshots or logs. We aim to acknowledge valid reports within 5 business days and to provide status updates as the investigation progresses.
Please avoid testing that accesses other users' data, degrades service, bypasses third-party website controls, sends spam, performs denial-of-service testing, social engineers users or staff, or causes harm. We appreciate coordinated, good-faith reports. This page is not a bug bounty program or a promise of payment.
10. Contact
Report a vulnerability to security@changesentry.com. Request contractual security questionnaires or vendor review through the contact page or by emailing support@changesentry.com with your organization and timeline.