Home / Docs
How DiffMon works across monitoring, alerts, security, and API integration.

Sensitive monitor data

How DiffMon handles monitor credentials, headers, payloads, retention, and deletion.

This page explains what happens to sensitive data you enter into monitor configuration and what your workspace can do to reduce storage of protected content.

What data can be entered

  • Monitor targets can include URLs, request headers, authentication credentials, extract and ignore rules, and notification settings.
  • Depending on fetch mode and the monitored endpoint, stored snapshots or diffs can contain response body content.
  • DiffMon is workspace-scoped, so monitor configuration and results belong to the workspace rather than an individual user.

Credentials and secrets

  • Values entered in the Auth tab are treated as secrets for outbound monitor requests.
  • Monitor authentication secrets are encrypted at rest.
  • After save, the plaintext secret is not returned back into the UI.
  • API tokens are handled separately and are stored as irreversible hashes. See API tokens.

Request headers

  • Values entered in the Request headers field are stored as monitor configuration.
  • Use the Auth tab for bearer tokens, passwords, or secret header values when possible instead of placing them in raw custom headers.
  • Avoid putting credentials into URLs, query strings, or other fields that are not designed for secret storage.

Response bodies and payload storage

  • In Content mode, DiffMon may store response bodies and derived diffs so it can compare changes over time.
  • In Headers only or Status only mode, DiffMon avoids storing body content for that monitor.
  • Use extract and ignore rules to minimize the amount of retained content when only part of a response matters.

Logs and redaction

  • DiffMon redacts Authorization headers, tokens, passwords, and similar sensitive values from application logs and telemetry.
  • Request identifiers remain available for auditability and incident investigation without exposing the secret value itself.

Retention and deletion

  • Snapshot, diff, and payload retention follows your workspace plan. See Retention.
  • Free workspaces retain monitoring payloads for 3 days, Hobby for 30 days, Pro for 180 days, and Business or Enterprise on a custom schedule.
  • When retention expires, payload blobs are deleted while some operational metadata can remain for integrity and audit purposes.
  • Account or workspace termination can also trigger deletion workflows, subject to legal obligations and limited backup windows described in the DPA.

Access and governance

  • Access to monitor settings and results is controlled by workspace membership and roles. See Roles and permissions.
  • Audit logging is used for governance-sensitive actions such as token lifecycle events, membership changes, and webhook changes. See Audit Log.
  • Data location, subprocessors, and deletion obligations are described in the DPA and Privacy Policy.
  • Put secrets in the Auth tab, not raw headers, whenever the monitor type supports it.
  • Use Headers only or Status only mode if body content should not be stored.
  • Limit workspace access to users who need monitor configuration or payload visibility.
  • Rotate credentials when personnel or vendors change, and revoke unneeded API tokens and webhook secrets promptly.