What we collect

Logystera collects structured event metadata - not raw log files, not page content, not user-submitted data. Each event contains:

Event type - e.g., http.request, auth.attempt, wp.cron
Timestamp
Operational context - HTTP status code, response time, cron hook name, email delivery status, error severity

What we do NOT collect:

No passwords or credentials
No form submission content
No page content or user data
No email content or recipient addresses
No database contents
No raw log files

Authentication

HMAC signatures

Every request from the WordPress plugin or Drupal module to the Logystera gateway is signed with HMAC-SHA256 using a per-entity secret. The gateway verifies the signature before accepting any data. Replay attacks are prevented with timestamp validation.

API keys

Each monitored site (entity) has its own API credentials. Keys are generated per-entity and can be rotated without affecting other sites. Credentials are stored encrypted in the database.

Encryption

In transit

All communication between your site and Logystera uses TLS 1.2+. The gateway endpoint is HTTPS-only. Internal service communication uses encrypted channels.

At rest

Data stored in PostgreSQL and VictoriaMetrics uses encrypted volumes (AWS EBS encryption). Credentials and secrets are stored in AWS Secrets Manager with IAM-based access control.

Infrastructure

Region: EU (Frankfurt, eu-central-1)
Provider: AWS (ECS Fargate, RDS, Secrets Manager)
CDN: Cloudflare (DNS, DDoS protection)
Database: PostgreSQL (Neon, EU region)
Metrics: VictoriaMetrics (self-hosted, EU)

Data retention

Plan	Retention	After cancellation
Starter	7 days	Deleted after retention period
Professional	30 days	Deleted after retention period
Enterprise	90+ days (configurable)	Export available, then deleted

Responsible disclosure

If you discover a security vulnerability, please report it to [email protected]. We take all reports seriously and will respond within 48 hours.

How Logystera handles your data