Security & Retention

Security Overview

WebhookBase uses administrative, technical, and organizational measures designed to protect customer and account data. These may include encryption in transit, access controls, logging, secrets handling, authentication controls, infrastructure monitoring, and role-based access restrictions where applicable.

Infrastructure is currently expected to include Hetzner hosting in Frankfurt, Neon Postgres, Cloudflare services, and other providers listed on the Subprocessors page. Actual vendor regions may vary by provider configuration and service needs.

WebhookBase may use internal operational tooling such as Grafana, OpenSearch/Kibana, Rancher, and Argo CD for logging, monitoring, infrastructure management, deployment, and incident response. These tools may process operational metadata, logs, metrics, configuration data, and deployment information and are protected through access controls and administrative safeguards.

No service can guarantee absolute security, and customers remain responsible for secure configuration of their own endpoints, agents, credentials, replay destinations, and local environments.

Retention

Data retention may vary depending on plan, customer settings, system design, support requirements, abuse prevention, backups, and legal obligations.

Webhook deliveries, logs, attempt records, replayable content, and related metadata may be deleted after plan-specific retention windows, cancellation, downgrade, or expiration.

Current delivery retention limits are 3 days on Free, 30 days on Pro, 60 days on Team, and custom by agreement for Enterprise. Attempt records, payload bodies, replayable content, and related metadata may follow the same or shorter retention windows. Backups and security logs may be retained for a limited additional period for restoration, audit, abuse prevention, legal, or operational purposes.

Incident Response

We maintain internal processes designed to identify, assess, and respond to security incidents. Where required by law or contract, we may notify affected customers of confirmed incidents involving personal data or material service impact.

Vulnerability Reports

Security reports may be sent to [email protected]. Reports should include enough detail to reproduce the issue. Do not access, modify, delete, exfiltrate, or disclose another user's data while testing.