Security
Built to observe, not to act
StatHall reads the state of your apps and servers — it never writes back. This "passive observability" stance drives every architecture choice. Here are the principles; the technical detail of the audits lives in the internal documentation.
The principles
Read-only
StatHall pushes nothing to the stores, the tracking tools or the supervised servers. The only writes are internal to the cockpit (invitations, configuration). No remote action.
Encrypted secrets
Every connector API key is encrypted with a master key kept outside the database. Secrets are never returned in clear to the browser, nor written to the logs.
Narrow-scope agent
The server agent token is displayed once, bound to a single server, and revocable at any time. If compromised, it exposes one target only — never the rest of the account.
Encrypted transport
Everything travels over HTTPS with modern transport encryption and a strict set of security headers, applied as defense in depth.
GDPR by design
Self-service account export and deletion, data minimisation, bounded audit-log retention. Two-factor authentication required on every account.
Your data, your place
Data is stored locally, never resold. Daily encrypted backups with an off-site copy. StatHall also stays fully self-hostable end to end.
What StatHall does not do
The boundary matters as much as the feature. On a supervised server, StatHall does not restart services, does not kill processes, does not open a remote terminal, does not run scripts and opens no port. The agent observes and pushes — the administrator keeps control of the actions.
Supply-chain audits and security reviews are run on every development cycle. A security question, a responsible disclosure? Write to us.