Security & Compliance

Zero egress of source code and log data.
SaaS · On-prem · Air-gapped

Self-Host Guide Schedule a Call

Design Principles

Zero Egress

Zero Egress

Your logs never leave
your network or domain

SaaS/On-prem

SaaS/On-prem

SaaS or self-hosted options.
Air-gapped deployments supported

Control Output

Control Output

View in your dashboards
or the 10x managed console

Deployment Options

Choose the deployment model that matches your security requirements. Same product, same pricing, same features.

Capability Managed Console
Default · Fastest setup
 Self-Managed
Enterprise · Full control
Log Processing
Where do logs get optimized?
Your infrastructure only
Edge apps run as sidecars in your Kubernetes. Logs never leave your network.
Your infrastructure only
Identical to managed. Edge apps run in your environment.
Metrics & Telemetry
What leaves your infrastructure?
Aggregated metrics only
Event counts, volume stats, pipeline UUIDs. Zero log content. Zero PII.
Your TSDB (Prometheus/Datadog)
Configure output to your observability stack. Nothing to Log10x.
Console Hosting
Where is the dashboard?
Log10x managed (AWS) · Multi-tenant
Grafana + Prometheus hosted by Log10x. Each customer gets isolated data stores with separate Prometheus instances and Grafana orgs. SSO, Auth0, MFA included.
Your infrastructure · Single-tenant
Deploy Grafana + Prometheus in your environment. Full Terraform source provided.
Security Review Scope
What does InfoSec evaluate?
Software license + metrics DPA
Review Log10x SaaS console security (AWS Managed Services: SOC 2, ISO 27001).
Software license only
No data processor evaluation. Runs entirely under your security controls.
Compliance Scope
HIPAA, GDPR, SOX audits
DPA/BAA for metrics
Log10x console (metrics only) included in audit. BAA/DPA available.
Out of audit scope
Software vendor, not data processor. No DPA/BAA required.
Air-Gap Capability
Zero external connectivity
Not air-gapped
Console requires internet for Auth0 + AWS. Not suitable for air-gapped environments.
Full air-gap supported
Apps + Console run with zero external connectivity. Mirror images locally.
Data Residency Control
Where is data stored?
Logs: your region. Metrics: us-east-1
Log data never leaves your region. EU metrics hosting on roadmap.
Complete control
Deploy in any region, cloud, or on-premises. You control all data location.
Time to Production
How fast can you deploy?
1-2 days
Helm install → configure metrics endpoint → done. Console ready immediately.
1-2 weeks
Deploy Grafana + Prometheus, configure apps, setup auth. Terraform provided.
Operations & Maintenance
Who manages infrastructure?
Shared
You manage edge apps in your K8s. Log10x manages console (uptime, updates, scaling).
You manage everything
Complete operational control. Update on your schedule. Scale as needed.
Recommended For
Typical use cases
Most customers (95%)
Fast deployment, managed console, metrics-only egress acceptable for security review.
Regulated/air-gapped
Healthcare, finance, government. Zero data egress policy. Air-gapped requirements.

Same product, same pricing, same features. Choose based on your security requirements.

Discuss Deployment Options

Technical Architecture

Detailed data flow diagrams showing how logs are processed in your infrastructure

Click diagram to enlarge
DEPLOYMENT: GitHub / Docker Hub Public or private repos Pull directly Your Infrastructure You pull and deploy 10x apps directly EDGE PROCESSING (Your Infrastructure) User App Writes logs Log Forwarder Fluentd / OTel 10x Edge Sidecar Splunk / Elastic Optimized logs ✓ Logs stay in your network • Log10x never sees them 10x Cloud Apps (Your AWS/Cloud Account) Cloud Reporter Reads S3/CloudWatch Storage Streamer Streams optimized logs Log10x SaaS AWS Managed Prometheus Stores cost metrics Auth0 Identity & access management Grafana Console Visualize metrics Edge metrics Cloud metrics
✓ Stays in Your Infrastructure
  • Artifacts: Pull from GitHub/Docker directly
  • All log data stays with you
  • Apps: Deploy in your infrastructure
→ Metrics to Log10x
  • Aggregated cost data only
  • No log content, no PII
  • Configure output in YAML

Security FAQ

Common questions about Log10x security, data handling, and compliance

Architecture & Data Handling

Where does log processing happen?

All processing happens in your infrastructure:

You control where processed events go via output configuration (files, forwarders, metric destinations). Log10x never receives log content.

What data does Log10x actually see?

Zero log content. When configured to send metrics to our SaaS (optional), only aggregated metrics leave your network — event counts and byte volumes grouped by enrichment fields (message pattern identity derived from symbol tokens in your source code, severity level, K8s container/namespace, HTTP status code). No log messages, no PII, no sensitive data. You can also send metrics to your own TSDB instead — we never see anything.

What specific metrics leave my network in managed mode?

In managed console mode, 10x apps send aggregated metrics to prometheus.log10x.com over TLS 1.3. The exact fields:

Label Example Value Contains PII?
tenx_envproductionNo
tenx_apporder-serviceNo
tenx_host_nameedge-node-1No
severity_levelERRORNo
message_patternFailed to connect to {}No
k8s_namespacepaymentsNo
k8s_containerapi-gatewayNo
http_code503No

Metric values are counters and gauges: event counts, byte volumes, processing times. message_pattern is a template name derived from log statement structure (placeholders replace all variable data) — it contains no log content, no request data, no PII.

Billing telemetry: Engines also send lightweight heartbeats (see Metrics API for complete list) containing infrastructure metadata for license tracking. No log content, no PII. Air-gapped deployments use a local License Receiver instead.

Self-managed mode: Nothing is sent to Log10x. All metrics go to your own TSDB.

Sensitivity note: Metric labels include infrastructure metadata such as application names, Kubernetes namespace names, and log pattern templates. Organizations that classify infrastructure topology as sensitive should deploy self-managed — no data reaches Log10x systems.

What are symbol libraries and do they contain my code?

Symbol libraries contain 64-bit hashes of string constants extracted from your log statements, plus class and method names to identify the source of each log statement. They contain no source code, no log data, and no telemetry. Compilation happens in your CI/CD pipeline — we never see your repositories, code, or symbol libraries. See the Compiler FAQ for full details.

What log data leaves my environment?

None. Log data never leaves your infrastructure. The architecture keeps all log content in your environment.

The only data that optionally reaches our SaaS is aggregated metrics (event counts, byte volumes). No log content is included.

Optional AI recommendations: The Console provides AI-powered analysis on ROI Analytics dashboards in three configurable modes: Managed (hosted by Log10x using xAI Grok, default in SaaS mode), Bring Your Own Key (OpenAI, Anthropic, xAI, Azure OpenAI, or self-hosted via Ollama or any OpenAI-compatible endpoint), or Disabled (no data sent to any AI provider). Only aggregated metrics from Prometheus (event type names, volume, cost) are sent — never raw log content. All API keys are encrypted at rest. In self-managed deployments, AI is not preconfigured — you control whether and how to enable it. See AI Analysis for full configuration.

How is data encrypted?
  • In transit: TLS 1.3 for all API communications
  • At rest: AES-256 for any stored metrics in our SaaS
  • Self-hosted: Customer-managed KMS keys supported

Since logs stay in your infrastructure, they're protected by your existing encryption controls.

Compliance & Certifications

Is Log10x SOC 2 certified?

Log10x SOC 2 certification is planned for 2026. SIG Lite questionnaire responses are available on request — contact security@log10x.com.

Organizations that require SOC 2 from all vendors: Deploy self-managed. Log10x becomes a software licensor, not a data processor — no data reaches Log10x systems and your existing compliance controls (SOC 2, HIPAA, PCI DSS) apply directly.

SaaS Console option: If you use our managed Console, it runs on AWS Managed Grafana and Prometheus, which maintain SOC 2 Type II, ISO 27001, and PCI DSS compliance. Only aggregated metrics (event counts, byte volumes) reach the SaaS — never log content.

How does Log10x support GDPR compliance?

DPA available on request. Since log data never leaves your infrastructure, it never crosses borders.

Deploy in your EU infrastructure and data stays in the EU — no complex data transfer mechanisms needed. The SaaS Console is currently available in US regions; EU hosting is on our roadmap. Self-managed deployments can run in any region today.

DPA key terms: Data scope limited to aggregated metrics only (no log content, no PII). Sub-processors: AWS Managed Services (infrastructure), Auth0 (authentication), xAI (AI analysis, when enabled in managed mode). Deletion on request via security@log10x.com. Contact us for the full DPA.

Can Log10x support HIPAA requirements?

BAA available for enterprise customers. Data scope limited to aggregated metrics — no PHI content. Sub-processors: AWS Managed Services (infrastructure), Auth0 (authentication). Contact security@log10x.com.

All log processing happens in your environment, so PHI never leaves your HIPAA-compliant infrastructure. Log10x only receives aggregate metrics — no PHI content.

What about SOX and PCI-DSS?

Audit trails are maintained entirely in your infrastructure.

Log10x doesn't process or store log content, placing us outside your CDE (Cardholder Data Environment). Your existing controls apply — the architecture simplifies compliance scope.

How do I validate that critical security logs aren't being filtered?

Multi-layer validation ensures security logs always reach your analytics tool:

  1. Shadow mode testing: Deploy Edge Reporter as a read-only sidecar — it monitors your live event stream without modifying, filtering, or redirecting any data. Compare what would be optimized vs actual security events before enabling production changes.
  2. Allowlist approach: Explicitly preserve all logs from security indexes. Allowlist sourcetypes like firewall, ids, authentication.
  3. Metrics tracking: Dropped event counts are recorded in aggregated metrics — compare total vs emitted volumes to verify nothing unexpected was filtered.
  4. Compliance reporting: Daily summary confirms zero security logs filtered. Start with no filtering on security sources, then expand gradually after 30-day validation.
How long are metrics retained in the SaaS?

90 days. Metrics in the managed Console auto-expire after 90 days. Customers can request early deletion via security@log10x.com. On account termination, all metrics data is purged.

Self-managed: You control retention via your own Prometheus configuration.

What is your incident response and breach notification process?

72-hour breach notification (GDPR-aligned). If the Log10x SaaS is compromised:

  1. Scope: Limited to aggregated metrics (event counts, byte volumes). No log content is stored in our SaaS.
  2. Notification: Affected customers notified via email within 72 hours.
  3. Status: Real-time updates at status.log10x.com.
  4. Contact: security@log10x.com for incident response details.

Self-managed: Log10x has no access to your infrastructure — incident response is handled entirely by your team.

Deployment Options

Can I run Log10x completely air-gapped?

Yes.

  • Edge apps require zero external connectivity when configured to output metrics to your local TSDB
  • Self-hosted Console deployment available for complete isolation
  • Terraform templates provided with security best practices for air-gapped environments
How is tenant data isolated in the managed console?

Each customer gets dedicated infrastructure in the managed console:

  • Separate Prometheus workspace per customer — metrics are never co-mingled
  • Isolated Grafana organization — dashboards and data sources are tenant-scoped
  • AWS managed service infrastructure with VPC-level network isolation
  • Access audited via AWS CloudTrail

Self-managed: Single-tenant by definition. You deploy your own Prometheus and Grafana.

What network access do edge apps require?
Connection Destination Port Required
Metrics pushprometheus.log10x.com or your TSDB443Yes
Artifact pullGitHub / Docker Hub443Deploy-time only
License validationprometheus.log10x.com443Optional

Air-gapped mode: After initial image pull to your private registry, edge apps require zero external connectivity. Configure metric output to your local TSDB and use a local License Receiver.

Which cloud providers are supported?

Edge apps run anywhere -- on-premise, any cloud, Kubernetes, VMs.

Cloud apps currently support AWS (S3, CloudWatch Logs). Azure and GCP support planned.

Self-hosted Console uses AWS Managed Services. Other cloud options are on the roadmap.

Security Operations

How does authentication work?

Console — depends on deployment model:

  • SaaS: Auth0 with enterprise SSO (SAML 2.0, OIDC), MFA, session timeout
  • On-premises: Your OAuth provider or deployed Keycloak instance
  • Air-gapped: On-premises OAuth with no external dependencies

Apps — API key-based authentication for edge/cloud apps sending metrics. Keys generated via REST API with full lifecycle management (rotate, revoke, regenerate), scoped per environment/team.

Environment access control: Console access is scoped per environment with three permission levels: Owner (full control), Write (modify settings), and Read (view dashboards). API keys are scoped per environment and user.

Who at Log10x can access my metrics data?

SaaS mode: Access to customer Prometheus and Grafana instances is limited to engineering leads for operational support. All access is audited via AWS CloudTrail. Access logs are available on request — contact security@log10x.com.

Self-managed mode: Log10x has zero access to your infrastructure, metrics, or dashboards.

How are vulnerabilities handled?

Dependency updates monitored continuously.

  • Critical vulnerabilities (CVSS 9.0+): 48-hour SLA
  • All other severities: 30-day SLA
  • Reporting: security@log10x.com — response within 24 hours
  • Disclosure: coordinated disclosure with recognition for valid findings

Attack surface context: Edge apps have no inbound network listeners. All log processing uses local IPC between the forwarder and sidecar. Outbound connections are limited to metrics push (HTTPS to Prometheus endpoint).

Container security: Deployment model varies by forwarder. OTel Collector and Logstash run 10x as a separate sidecar container (non-root, read-only root filesystem, independent resource limits). Fluentd, Fluent Bit, and Filebeat embed 10x as a child process within the forwarder container, inheriting its security context. See Deployment Models for details.

Can we do a security review before purchasing?

Yes. Enterprise customers can schedule architecture reviews with our founders. We walk through data flows, discuss deployment models, and answer technical questions.

Documentation available:

Customers may conduct their own security assessment of edge app container images. Contact security@log10x.com to coordinate.

Is Log10x available in EU regions?

Currently available in US regions. EU deployment is on our roadmap.

Self-managed deployments can run in any region today using your own infrastructure. Contact us for EU self-managed options.

All edge processing runs in your infrastructure regardless of region. Only the management console is region-specific.

Questions About Security?

NDAs and architecture documentation available on request.

Schedule a Call Self-Host Guide