Compliance

Encryption at rest and in transit, SOC 2, GDPR, HIPAA, SOX/PCI-DSS, metric retention, and incident response.

How is data encrypted
  • In transit: TLS 1.3 for all API communications
  • At rest: AES-256 for any stored metrics in our SaaS
  • Self-hosted: Customer-managed KMS keys supported

Since logs stay in your infrastructure, they're protected by your existing encryption controls.

Is Log10x SOC 2 certified

Log10x SOC 2 certification is planned for 2026. SIG Lite questionnaire responses are available on request -- contact security@log10x.com.

Organizations that require SOC 2 from all vendors: Deploy self-managed. Log10x becomes a software licensor, not a data processor -- no data reaches Log10x systems and your existing compliance controls (SOC 2, HIPAA, PCI DSS) apply directly.

SaaS Console option: If you use our managed Console, it runs on AWS Managed Grafana and Prometheus, which maintain SOC 2 Type II, ISO 27001, and PCI DSS compliance. Only aggregated metrics (event counts, byte volumes) reach the SaaS -- never log content.

How does Log10x support GDPR compliance

DPA available on request. Since log data never leaves your infrastructure, it never crosses borders.

Deploy in your EU infrastructure and data stays in the EU -- no complex data transfer mechanisms needed. The SaaS Console is currently available in US regions; EU hosting is on our roadmap. Self-managed deployments can run in any region today.

DPA key terms: Data scope limited to aggregated metrics only (no log content, no PII). Sub-processors: AWS Managed Services (infrastructure), Auth0 (authentication), xAI (AI analysis, when enabled in managed mode). Deletion on request via security@log10x.com. Contact us for the full DPA.

Can Log10x support HIPAA requirements

BAA available for enterprise customers. Data scope limited to aggregated metrics -- no PHI content. Sub-processors: AWS Managed Services (infrastructure), Auth0 (authentication). Contact security@log10x.com.

All log processing happens in your environment, so PHI never leaves your HIPAA-compliant infrastructure. Log10x only receives aggregate metrics -- no PHI content.

What about SOX and PCI-DSS

Audit trails are maintained entirely in your infrastructure.

Log10x doesn't process or store log content, placing us outside your CDE (Cardholder Data Environment). Your existing controls apply -- the architecture simplifies compliance scope.

How long are metrics retained in the SaaS

90 days. Metrics in the managed Console auto-expire after 90 days. Customers can request early deletion via security@log10x.com. On account termination, all metrics data is purged.

Self-managed: You control retention via your own Prometheus configuration.

What is your incident response and breach notification process

72-hour breach notification (GDPR-aligned). If the Log10x SaaS is compromised:

  1. Scope: Limited to aggregated metrics (event counts, byte volumes). No log content is stored in our SaaS.
  2. Notification: Affected customers notified via email within 72 hours.
  3. Status: Real-time updates at status.log10x.com.
  4. Contact: security@log10x.com for incident response details.

Self-managed: Log10x has no access to your infrastructure -- incident response is handled entirely by your team.