Security

At Calibre, the privacy and security of our customers' data are critical. We're committed to full transparency about our practices and precautions to keep your information secure. You can also find more information about data processing on our Data Protection & Compliance page and in our Privacy Policy.

Overview#

Calibre provides synthetic performance monitoring and Real User Monitoring (RUM) for websites. Our security practices are designed to protect both the data our customers entrust to us and the data collected from their website visitors through the RUM service. We apply the principle of data minimisation throughout our architecture and collect only what is necessary to deliver our services.

Our Technical and Organisational Measures are formally documented in Schedule 1, Part D of our Data Processing Agreement, which is available to all customers.

Infrastructure security#

• Cloud provider: Calibre runs entirely on Amazon Web Services (AWS), benefiting from AWS's extensive security certifications (SOC 2, ISO 27001, and others).
• Network isolation: Our application infrastructure runs within a Virtual Private Cloud (VPC) that is not accessible from the public internet, except through our public-facing endpoints.
• Edge network: Real User Monitoring data is processed by AWS Lambda@Edge at globally distributed edge locations closest to the website visitor (determined by Anycast routing), before being securely transferred to our centralised database in the United States.
• Content Delivery: Public-facing assets are served through a content delivery network with DDoS protection.

Encryption#

• In transit: All data is encrypted in transit using TLS. Platform services use TLS 1.3 or higher — there are no exceptions to this rule.
• At rest: All data at rest is encrypted using AES-256 in both our database and file storage.
• Key management: Encryption keys are managed through AWS Key Management Service (KMS) with automatic rotation.

Access controls#

• Role-based access: Internal access to production systems follows the principle of least privilege, with role-based access controls limiting access to what is necessary for each role.
• Multi-factor authentication: MFA is required for all internal access to production infrastructure and administrative systems.
• Audit logging: Access to customer data is logged and auditable.
• Access reviews: Access permissions are reviewed regularly and revoked promptly when no longer needed, including during employee offboarding.

Application security#

• Login security: Customer accounts are protected against brute force attacks with rate limiting. All passwords are cryptographically hashed and salted before storage. Single sign-on (SSO) via SAML is available for company plan accounts.
• Vulnerability management: We use automated vulnerability scanning and dependency monitoring to identify and address security issues. We stay current with security patches and advisories.
• Code review: All production code is reviewed by senior engineering staff before deployment.
• Testing: We run an extensive automated test suite across every change. Development and QA environments are separated from production, and customer data is never used in non-production environments.

Real User Monitoring security#

RUM has been designed with security and privacy as foundational requirements, not additions.

• TLS 1.3: All RUM data is transported exclusively over TLS 1.3, providing the strongest available transport encryption.
• Subresource Integrity (SSRI): Calibre RUM uses signature-based Subresource Integrity, an emerging specification that provides cryptographic verification that the RUM script has not been tampered with. The integrity attribute in the RUM snippet contains a public key that browsers use to verify the script's authenticity before execution. Supported in Chrome 141+.
• No IP address storage: IP addresses are used transiently at the edge to derive approximate geographic location (city/country), then discarded. They are never logged, stored, or written to any database.
• Ephemeral session identifiers: The RUM snippet generates a random session identifier stored in the browser's sessionStorage. It is automatically deleted when the tab or browser is closed, and is never reused across sessions.
• No cookies: The RUM snippet does not set, read, or use cookies of any kind.
• Allowed origins: Only domains explicitly configured by the customer in their RUM settings can send data to Calibre. Requests from unauthorised origins receive an empty 204 response.
• Bot detection: Automated traffic is detected and filtered at the network edge using a combination of request pattern analysis, user agent evaluation, and behavioural heuristics. Bot traffic is discarded before it reaches our database.
• Sampling controls: Customers can configure the percentage of sessions collected, reducing data volume to only what is needed.
• Path masking: Customers can override page paths to prevent sensitive URL segments (such as account IDs or user identifiers) from being transmitted to Calibre.
• EEA/EU exclusion: Customers can disable RUM data collection for visitors located in the EEA or EU. When enabled, the snippet returns an empty response and no data is collected or processed.
• Content Security Policy (CSP): RUM is designed to work with strict Content Security Policies by requiring only use.calibre.app in script-src and connect-src directives.

Data lifecycle#

• Retention: RUM data retention is configurable by customers between 3 and 24 months. Platform data is retained for the duration of the customer's subscription. Billing and payment records are retained for 7 years in accordance with Australian tax obligations.
• Automatic deletion: RUM data is automatically deleted after the customer's configured retention period. Deletion is irreversible.
• Termination: Upon account termination, customer data is deleted within 90 days unless the customer requests earlier deletion or applicable law requires retention. Customers may request return of their data prior to deletion.
• Secure destruction: Deleted data is removed from all primary and backup systems. Our cloud infrastructure provider (AWS) handles physical media destruction in accordance with their own security certifications.

People and security#

• Confidentiality obligations: All employees and contractors are bound by confidentiality agreements that cover customer data.
• Security training: Team members receive security awareness training and are kept informed of current threats and best practices.
• Access lifecycle: Access to production systems is provisioned on a need-to-know basis and revoked promptly upon role change or departure.

Incident response#

• Classification: Security incidents are classified by severity and impact to determine the appropriate response.
• Response: We maintain an incident response process for investigating, containing, and remediating security incidents.
• Notification: In the event of a data breach that affects customer data, we will notify the affected customer as soon as reasonably practicable, and in any event within 72 hours of becoming aware of the breach. Notification will include the nature of the breach, the categories and approximate numbers of affected data subjects and records, the likely consequences, and the measures taken or proposed to address the breach.
• Post-incident review: All significant incidents are followed by a post-incident review to identify root causes and implement preventive measures.

Business continuity#

• Redundancy: Our infrastructure is deployed with redundancy to minimise single points of failure.
• Backups: Automated backups are performed regularly. Backups are encrypted and stored separately from primary data.
• Disaster recovery: We maintain a disaster recovery plan with defined recovery objectives. The plan is reviewed and tested periodically.
• Status: Real-time service status is available at www.calibrestatus.com.

Compliance#

• Data Processing Agreement: Our DPA documents our security commitments, Technical and Organisational Measures, and international transfer safeguards. Contact privacy@calibreapp.com for a copy.
• GDPR: Calibre is compliant with the EU GDPR and UK GDPR. See our Data Protection & Compliance page for details.
• CCPA: Calibre acts as a service provider under the CCPA when processing data on behalf of customers. See our Privacy Policy for California-specific disclosures.
• Australian Privacy Act: Calibre complies with the Australian Privacy Principles under the Privacy Act 1988 (Cth).

Responsible disclosure#

If you discover a security vulnerability in Calibre or the RUM snippet, we encourage you to responsibly disclose it by contacting us at security@calibreapp.com. We will work with you to investigate and address issues that meet our security criteria.

Please allow reasonable time for us to investigate and resolve the issue before any public disclosure.

Contact#

If you have any questions regarding security at Calibre, we're here to help.

• Security enquiries: security@calibreapp.com
• Privacy and data protection: privacy@calibreapp.com
• General support: support@calibreapp.com