Security Overview


Locale is committed to building a business event monitoring platform that's held to the highest possible security standards, as we work with large logistics, financial, and healthcare enterprises to enable proactive operations on top of their data

This document breaks down our security and infrastructure in greater detail and also outlines a couple of options each customer has for data transfer and storage, with associated considerations.

Basic Architecture Overview

Locale connects to your data warehouse (similar to any Business Intelligence tool). We can connect through an SSH or reverse SSH tunnel, and once you've obtained a connection you'll be able to define events you want to monitor and send to downstream tools, via SQL. Read our database connection document for more information on how you can connect your database or data warehouse.

An alert definition defines what notifications to send, and how often they should run. When a Locale run initiates, Locale executes the SQL query (associated with your alert) on your data warehouse, identifies only the incremental rows that need to be sent to the associated downstream tool or alerted on, and will then translate these rows to the appropriate APIs for sending you the alert.

Customer data is only flowing through our infrastructure during an "alert run," is encrypted in transit via TLS as it is flowing through our system, and our compute instances are not exposed to the internet (and are secured according to GCP cloud security best practices). security docs

After sending data downstream, Locale stores the full query results in a database using standard AES-256 encryption algorithms. These results are only used for checking for incremental rows in subsequent runs and avoiding spammy alerts. Only the results of your last run are actively stored and all previous data is deleted permanently from the system.

Data Flow

Data into System

Data into the system only comes from running SQL queries on top of your warehouse or through our API triggers. The data only goes through the platform during an active run and no data is queried or stored outside of it.

Data at Rest

Customer Data stored in the platform are the results after an active run. Only the latest run results are stored in order to deduplicate data for subsequent runs. All stored data is encrypted via AES 256 encryption.

Secure key management: We define an encryption approach that includes the storage, rotation, and access control of keys to provide protection for content against unauthorized users and against unnecessary exposure to an authorized user

Data through System encrypts all data entering or leaving infrastructure with TLS/HTTPS. Additionally. Each account’s data is logically separated, and access to your data is protected by strong authentication and authorization controls.

Data out of System integrates with a variety of third-party tools so developers can combine error data from with data from other systems, manage workflows efficiently, and be alerted of errors through notification and chat tools, in addition to email and SMS. Therefore,’s high standards for security and compliance also extend to its partner network.

Access Security

Permissions and Authentication

Access to cloud infrastructure and other sensitive tools is limited to authorized employees who require it for their roles. Where available we have Single Sign-on (SSO), 2-factor authentication (2FA), and strong password policies to ensure access to cloud services is protected.

Least Privilege Access Control

We follow the principle of least privilege with respect to identity and access management.

Quarterly Access Reviews

We perform quarterly access reviews of all team members with access to sensitive systems.

Password Requirements

All team members are required to adhere to a minimum set of password requirements and complexity for access.

Password Managers

All company-issued laptops utilize a password manager for team members to manage passwords and maintain password complexity.

Infrastructure and Network Security

Physical Security is hosted on the Google Cloud Platform with dedicated infrastructure for each of our clients. employees do not have physical access to GCP data centers, servers, network equipment, or storage.

Logical Access Control is the assigned administrator of its infrastructure on GCP, and only designated authorized operations team members have access to configure the infrastructure on an as-needed basis behind a two-factor authenticated virtual private network. Specific private keys are required for individual servers, and keys are stored in a secure and encrypted location.

Access Logging

Systems controlling the management network at log to our centralized logging environment to allow for performance and security monitoring. Our logging includes system actions as well as the logins and commands issued by our system administrators.

Third-Party Audit

Google Cloud Platform (GCP) undergoes various third-party independent audits on a regular basis and can provide verification of compliance controls for its data centers, infrastructure, and operations. This includes, but is not limited, to SSAE 16-compliant SOC 2 certification and ISO 27001 certification.

Contact us

If you have any comments, concerns, or questions about data security, privacy policy, or our privacy practices in general, please send an email to