Security

How Merlonix is secured.

You’re considering pointing a monitoring product at infrastructure you care about, so you should know exactly how that product is built and run. This page states our real controls in plain language — and states what we don’t claim just as plainly.

What we do

Platform & data

  • Merlonix runs on Cloudflare Workers at the edge — there are no long-lived servers of ours to patch, and no SSH surface. Data lives in managed PostgreSQL (Supabase, hosted in Frankfurt), encrypted in transit everywhere and at rest by the database provider.
  • Tenant isolation is enforced in the database, not just the application: PostgreSQL Row-Level Security policies bound every tenant-scoped query, so one customer’s data is invisible to another’s session even if application code has a bug.
  • The marketing site and app are static exports — the web tier renders no server-side user data.
  • We never see or store card numbers. Payments run through Stripe Checkout; our systems hold only subscription state.

Authentication & access

  • Sign-in is passwordless: single-use magic links that are atomically consumed (a link can never be replayed), or Google / GitHub OAuth — where we accept only verified email addresses from the provider.
  • Sign-in and public forms are bot-gated with Cloudflare Turnstile.
  • REST API keys are shown once and stored only as a hash — we cannot read your key back, and neither can anyone who reads our database.
  • Write access is default-deny: a request must carry an allow-listed plan on an active subscription or valid trial, enforced in middleware that fails closed. Unknown plan or unknown subscription state means no write, not a lucky pass.
  • Team access is role-based (owner / admin / member / viewer), enforced by the same row-level policies.

Hardened outbound fetchers

  • Merlonix’s job is fetching your sites, so our fetchers are the most attacked surface we run — and the most hardened. Every public tool and monitored check resolves hostnames over DNS-over-HTTPS, rejects private, loopback, link-local, and cloud-metadata address ranges, and then pins the actual connection to the vetted IP so a DNS-rebinding race cannot redirect a request into internal infrastructure.
  • Every public endpoint is rate-limited per source IP, with requests that arrive without an attributable IP sharing one strict bucket instead of bypassing the limit.

Webhooks & integrations

  • Every inbound webhook we accept — Stripe billing events, email delivery events, SMS delivery receipts, error-tracker callbacks — is cryptographically signature-verified before a byte of it is processed, with idempotency handling so replayed deliveries cannot double-fire side effects.
  • Third-party AI calls exist only in explicitly opt-in features, run behind spend caps and a kill switch, and AI output is treated as untrusted: it can label a finding, never trigger an action.

Monitoring, audits & response

  • All seven production workers ship errors to Sentry and structured request logs to Axiom; high-severity failures page the operator directly by email and chat webhook.
  • We run recurring internal security audits against our own code — authentication, tenant isolation, SSRF, rate limits, CORS, entitlements. Findings are fixed and deployed promptly, typically the same day they are found.
  • We monitor merlonix.com with Merlonix itself — uptime, TLS posture, DNSSEC, Certificate Transparency issuance, and AI hidden-text scanning all run against our own domain first.

Code & secrets

  • Secrets live in the runtime secret store, not in source control, and every push runs a gate of lint, type checks, tests, and secret / privileged-access scans before it can land.
  • Dependencies are updated continuously via automated update PRs.

Don’t take this page’s word for it — our own infrastructure is monitored by Merlonix and published live: see the Merlonix status page (uptime, TLS certificate expiry, and DNSSEC posture, updated continuously).

Who processes data

Service providers we run on.

Merlonix is deliberately built on a small set of established providers. The data-protection detail for each lives in our privacy policy.

CloudflareEdge hosting, DNS, bot protection
SupabaseManaged PostgreSQL (Frankfurt, Germany)
StripePayments & subscriptions (card data never touches us)
ResendTransactional email delivery
Google / GitHubOptional OAuth sign-in (verified emails only); Google also provides PageSpeed data and analytics
SentryError tracking
AxiomStructured request logging
SSLMate (Cert Spotter)Certificate Transparency log data
Mobile Text AlertsSMS alert delivery (only if you enable SMS)
OpenAI / PerplexityOpt-in AI answer-presence checks only, spend-capped

What we don’t claim

No certification theater.

Merlonix does not currently hold a SOC 2 report or ISO 27001 certification, and we won’t imply otherwise with badges. We are a small, engineering-led product; what we offer instead is specificity — the controls above are real, deployed behavior, not aspiration, and this page changes when the practices change.

If your procurement process needs a security questionnaire answered, email us — you will get direct, specific answers from the people who built the system, usually within a business day.

Reporting a vulnerability

Found something? Tell us.

We welcome good-faith security research. Report vulnerabilities to [email protected] with enough detail to reproduce the issue. We read every report and respond promptly.

Please don’t access data that isn’t yours, degrade the service for others, or publicly disclose before we’ve had a reasonable chance to fix. We don’t run a paid bounty program today; we do credit reporters who want credit.

Monitoring you can inspect before you trust.

Start the full-workspace trial and look around — 14 days, no card. Compliance-evidence workflows are on the Compliance plan.