Skip to content

Security

Zero-data-egress security architecture. All log processing happens in your infrastructure -- logs never leave your network.

Data Protection

Where does log processing happen

All processing happens in your infrastructure:

You control where processed events go via output configuration (files, forwarders, metric destinations). Log10x never receives log content.

What data does Log10x actually see

Zero log content. When configured to send metrics to our SaaS (optional), only aggregated metrics leave your network -- event counts and byte volumes grouped by enrichment fields (message pattern identity derived from symbol tokens in your source code, severity level, K8s container/namespace, HTTP status code). No log messages, no PII, no sensitive data. You can also send metrics to your own TSDB instead -- we never see anything.

What log data leaves my environment

None. Log data never leaves your infrastructure. The architecture keeps all log content in your environment.

The only data that optionally reaches our SaaS is aggregated metrics (event counts, byte volumes). No log content is included.

Optional AI recommendations: The Console provides AI-powered analysis on ROI Analytics dashboards in three configurable modes: Managed (hosted by Log10x), Bring Your Own Key (OpenAI, Anthropic, xAI, Azure OpenAI, or self-hosted via Ollama or any OpenAI-compatible endpoint), or Disabled (no data sent to any AI provider). Only aggregated metrics from Prometheus (event type names, volume, cost) are sent -- never raw log content. All API keys are encrypted at rest.

What specific metrics leave my network in managed mode

In managed console mode, 10x apps send aggregated metrics to prometheus.log10x.com over TLS 1.3. The exact fields:

Label Example Value Contains PII?
tenx_env production No
tenx_app order-service No
tenx_host_name edge-node-1 No
tenx_pipeline_uuid a1b2c3d4-... No
severity_level ERROR No
message_pattern Failed to connect to {} No
k8s_namespace payments No
k8s_container api-gateway No
http_code 503 No
index_app main No

Metric values are counters and gauges: event counts, byte volumes, processing times. message_pattern is a template name derived from log statement structure (placeholders replace all variable data) -- it contains no log content, no request data, no PII.

Billing telemetry: Engines also send lightweight heartbeats (tenx_pipeline_up, tenx_pipeline_info) containing node ID and pipeline name for license tracking. No log content, no PII. Air-gapped deployments use a local License Receiver instead.

Self-managed mode: Nothing is sent to Log10x. All metrics go to your own TSDB.

Sensitivity note: Metric labels include infrastructure metadata such as application names, Kubernetes namespace names, and log pattern templates. Organizations that classify infrastructure topology as sensitive should deploy self-managed -- no data reaches Log10x systems.

What are symbol libraries and do they contain my code

Symbol libraries contain 64-bit hashes of string constants extracted from your log statements, plus class and method names to identify the source of each log statement. They contain no source code, no log data, and no telemetry. Compilation happens in your CI/CD pipeline — we never see your repositories, code, or symbol libraries. See the Compiler FAQ for full details.

Is AI optional? What data does it send

Fully optional. The Console provides AI-powered analysis on ROI Analytics dashboards in three configurable modes:

  • Managed — hosted by Log10x using xAI Grok (default in SaaS mode, included in subscription)
  • Bring Your Own Key — OpenAI, Anthropic, xAI, Azure OpenAI, or any OpenAI-compatible endpoint including self-hosted Ollama
  • Disabled — raw metrics only, no data sent to any AI provider

SaaS mode: AI analysis is enabled by default using the Log10x-managed provider. Only aggregated metrics from Prometheus (event type names, volume, cost) are sent -- never raw log content. You can switch to Disabled at any time in Console settings.

Self-managed mode: AI is not preconfigured -- you control whether and how to enable it. No API key is provided by Log10x.

All API keys are encrypted at rest. Disabling AI has no impact on core optimization functionality. See AI Analysis for full configuration.

How do I validate that critical security logs aren't being filtered

Multi-layer validation ensures security logs always reach your analytics tool:

  1. Shadow mode testing: Deploy Edge Reporter as a read-only sidecar -- it monitors your live event stream without modifying, filtering, or redirecting any data. Compare what would be optimized vs actual security events before enabling production changes.
  2. Allowlist approach: Explicitly preserve all logs from security indexes. Allowlist sourcetypes like firewall, ids, authentication.
  3. Metrics tracking: Dropped event counts are recorded in aggregated metrics -- compare total vs emitted volumes to verify nothing unexpected was filtered.
  4. Compliance reporting: Daily summary confirms zero security logs filtered. Start with no filtering on security sources, then expand gradually after 30-day validation.

Compliance

How is data encrypted
  • In transit: TLS 1.3 for all API communications
  • At rest: AES-256 for any stored metrics in our SaaS
  • Self-hosted: Customer-managed KMS keys supported

Since logs stay in your infrastructure, they're protected by your existing encryption controls.

Is Log10x SOC 2 certified

Log10x SOC 2 certification is planned for 2026. SIG Lite questionnaire responses are available on request -- contact security@log10x.com.

Organizations that require SOC 2 from all vendors: Deploy self-managed. Log10x becomes a software licensor, not a data processor -- no data reaches Log10x systems and your existing compliance controls (SOC 2, HIPAA, PCI DSS) apply directly.

SaaS Console option: If you use our managed Console, it runs on AWS Managed Grafana and Prometheus, which maintain SOC 2 Type II, ISO 27001, and PCI DSS compliance. Only aggregated metrics (event counts, byte volumes) reach the SaaS -- never log content.

How does Log10x support GDPR compliance

DPA available on request. Since log data never leaves your infrastructure, it never crosses borders.

Deploy in your EU infrastructure and data stays in the EU -- no complex data transfer mechanisms needed. The SaaS Console is currently available in US regions; EU hosting is on our roadmap. Self-managed deployments can run in any region today.

DPA key terms: Data scope limited to aggregated metrics only (no log content, no PII). Sub-processors: AWS Managed Services (infrastructure), Auth0 (authentication), xAI (AI analysis, when enabled in managed mode). Deletion on request via security@log10x.com. Contact us for the full DPA.

Can Log10x support HIPAA requirements

BAA available for enterprise customers. Data scope limited to aggregated metrics -- no PHI content. Sub-processors: AWS Managed Services (infrastructure), Auth0 (authentication). Contact security@log10x.com.

All log processing happens in your environment, so PHI never leaves your HIPAA-compliant infrastructure. Log10x only receives aggregate metrics -- no PHI content.

What about SOX and PCI-DSS

Audit trails are maintained entirely in your infrastructure.

Log10x doesn't process or store log content, placing us outside your CDE (Cardholder Data Environment). Your existing controls apply -- the architecture simplifies compliance scope.

How long are metrics retained in the SaaS

90 days. Metrics in the managed Console auto-expire after 90 days. Customers can request early deletion via security@log10x.com. On account termination, all metrics data is purged.

Self-managed: You control retention via your own Prometheus configuration.

What is your incident response and breach notification process

72-hour breach notification (GDPR-aligned). If the Log10x SaaS is compromised:

  1. Scope: Limited to aggregated metrics (event counts, byte volumes). No log content is stored in our SaaS.
  2. Notification: Affected customers notified via email within 72 hours.
  3. Status: Real-time updates at status.log10x.com.
  4. Contact: security@log10x.com for incident response details.

Self-managed: Log10x has no access to your infrastructure -- incident response is handled entirely by your team.

Authentication & Access

How does authentication work

Console — depends on deployment model:

  • SaaS: Auth0 with enterprise SSO (SAML 2.0, OIDC), MFA, session timeout
  • On-premises: Your OAuth provider or deployed Keycloak instance
  • Air-gapped: On-premises OAuth with no external dependencies

Apps — API key-based authentication for edge/cloud apps sending metrics. Keys generated via REST API with full lifecycle management (rotate, revoke, regenerate), scoped per environment/team.

Environment access control: Console access is scoped per environment with three permission levels: Owner (full control), Write (modify settings), and Read (view dashboards). API keys are scoped per environment and user.

How are vulnerabilities handled

Dependency updates monitored continuously.

  • Critical vulnerabilities (CVSS 9.0+): 48-hour SLA
  • All other severities: 30-day SLA
  • Reporting: security@log10x.com -- response within 24 hours
  • Disclosure: coordinated disclosure with recognition for valid findings

Attack surface context: Edge apps have no inbound network listeners. All log processing uses local IPC between the forwarder and sidecar. Outbound connections are limited to metrics push (HTTPS to Prometheus endpoint).

Container security: Deployment model varies by forwarder. OTel Collector and Logstash run 10x as a separate sidecar container (non-root, read-only root filesystem, independent resource limits). Fluentd, Fluent Bit, and Filebeat embed 10x as a child process within the forwarder container, inheriting its security context. See Deployment Models for details.

Can we do a security review before purchasing

Yes. Enterprise customers can schedule architecture reviews with our founders. We walk through data flows, discuss deployment models, and answer technical questions.

Documentation available:

Customers may conduct their own security assessment of edge app container images. Contact security@log10x.com to coordinate.

Who at Log10x can access my metrics data

SaaS mode: Access to customer Prometheus and Grafana instances is limited to engineering leads for operational support. All access is audited via AWS CloudTrail. Access logs are available on request -- contact security@log10x.com.

Self-managed mode: Log10x has zero access to your infrastructure, metrics, or dashboards.

What does the compiler do

The Compiler runs inside your environment (k8s cluster, CI/CD) to generate symbol libraries. Log10x never sees your repositories, code, or symbol libraries. See the Compiler FAQ for what the compiler extracts, how it's stored, and how to scope access.

How are analytics tool credentials managed

API keys for Splunk, Datadog, GitHub, etc. remain in your infrastructure. Never transmitted to Log10x SaaS.

10x apps run within your managed environment and connect to analytics tools using your existing network access.

Deployment Options

Which cloud providers are supported

Edge apps run anywhere -- on-premise, any cloud, Kubernetes, VMs.

Cloud apps currently support AWS (S3, CloudWatch Logs). Azure and GCP support planned.

Self-hosted Console uses AWS Managed Services. Other cloud options are on the roadmap.

Is Log10x available in EU regions

Currently available in US regions. EU deployment is on our roadmap.

Self-managed deployments can run in any region today using your own infrastructure. Contact us for EU self-managed options.

All edge processing runs in your infrastructure regardless of region. Only the management console is region-specific.

How is tenant data isolated in the managed console

Each customer gets dedicated infrastructure in the managed console:

  • Separate Prometheus workspace per customer -- metrics are never co-mingled
  • Isolated Grafana organization -- dashboards and data sources are tenant-scoped
  • AWS managed service infrastructure with VPC-level network isolation
  • Access audited via AWS CloudTrail

Self-managed: Single-tenant by definition. You deploy your own Prometheus and Grafana.

What network access do edge apps require
Connection Destination Port Protocol Required
Metrics push prometheus.log10x.com (SaaS) or your TSDB 443 HTTPS / TLS 1.3 Yes
Artifact pull GitHub / Docker Hub 443 HTTPS Deploy-time only
License validation prometheus.log10x.com 443 HTTPS Optional

Air-gapped mode: After initial image pull to your private registry, edge apps require zero external connectivity. Configure metric output to your local TSDB and use a local License Receiver.

Can I run 10x fully on-premises or air-gapped

Yes. All Edge and Cloud apps, plus the Console (Grafana + Prometheus), can run entirely in your infrastructure with no external dependencies. In this model no data reaches Log10x systems — your existing compliance controls (SOC 2, HIPAA, PCI DSS) apply directly.

  • Full feature parity with SaaS version
  • Local authentication via Keycloak or your identity provider
  • Private container registry support for fully disconnected environments
  • Edge apps require zero external connectivity when configured to output metrics to your local TSDB
  • Terraform templates provided for air-gapped environments