Sentry

Last updated · May 8, 2026

Security at Sentry

Security is part of the product, not a layer on top. This page summarizes how we build, operate, and report on the security of Sentry by Dark Rock Labs.

Architecture

  • Multi-tenant isolation. Every data row carries a tenantId. Every server action filters by the active tenant before reading or writing, enforced in code review and verified at build time by a static check on every Prisma query against a tenant-scoped model.
  • Encryption in transit. TLS 1.3 on every public endpoint; HSTS preload-eligible.
  • Encryption at rest. AES-256 (Supabase / Vercel managed storage).
  • Secret management. Secrets live only in Vercel environment variables; nothing in the repo, nothing in logs.
  • Least-privilege auth. Supabase Auth + Postgres roles; service-role keys never reach the browser.

Application security

  • Server actions enforce session checks and tenant scoping on every request, protected by Next.js App Router origin-validated CSRF on every mutating call.
  • Strict security headers: X-Frame-Options SAMEORIGIN, X-Content-Type-Options nosniff, Permissions-Policy locked down, Referrer-Policy strict-origin-when-cross-origin.
  • HTML sanitization (sanitize-html) on every untrusted HTML render.
  • Dependency scanning via GitHub Dependabot; high-severity advisories fixed within 7 days.

Sub-processors

  • Vercel Inc. — application hosting and edge delivery.
  • Supabase Inc. — Postgres database, authentication, object storage.
  • Resend Inc. — transactional email.

We notify administrators of material sub-processor changes at least 30 days in advance.

Operational practices

  • Backups — automated daily snapshots with point-in-time recovery to 7 days.
  • Logging — request logs retained 30 days; security audit logs retained 12 months.
  • Incident response — 24-hour notification target for confirmed security incidents affecting Customer Data.
  • Change management — every production change ships through a PR with code review and automated checks.

Compliance roadmap

  • SOC 2 Type II — observation period in progress (target completion Q4 2026).
  • ISO 27001 — controls mapped; certification audit scheduled Q1 2027.
  • HIPAA — BAA available for Enterprise customers handling PHI.
  • GDPR / UK GDPR / CCPA — DPA available at contract signing.

Reporting vulnerabilities

We welcome reports from the security community. Email security@darkrocksecurity.com or use our PGP key (fingerprint available on request). We commit to acknowledging reports within 2 business days and providing a status update within 7 days. We do not pursue good-faith researchers who follow responsible disclosure.

Trust portal

Customers and prospects under NDA may request SOC 2 reports, penetration-test summaries, and our latest sub-processor list at trust@darkrocksecurity.com.