CapyDB
docs and blog
Main site
CapyDB Docs
Operations

Security

What is actually protecting your data, stated plainly. No badges we have not earned.

All docsAPI authenticationComplianceAudit log

Secrets at rest

  • Database credentials and integration tokens (Vercel, Netlify, Clerk keys, webhook signing secrets) are encrypted at rest with AES-GCM before they touch the metadata store.
  • API keys are never stored. Only a SHA-256 hash of the key material is kept; the plaintext is shown once at creation. A database leak does not yield usable keys.
  • Terminal job payloads are scrubbed so plaintext secrets do not persist in the job queue after completion.

Scoped access

  • API keys carry explicit scopes, and keys created with a project_id are confined to that single project — they cannot touch sibling projects, manage other keys, or mutate the organization. Use them for CI. See Authentication.
  • Destructive operations (project delete, overwrite-restore, key management) require the org admin role for human sessions, and an explicit confirmation flag where it matters most (project overwrite restore).
  • Every project-affecting action lands in the project audit trail.

Transport

  • Database connections require TLS (sslmode=require in every URL CapyDB hands out).
  • The API and dashboard are HTTPS only. Outbound webhooks are HTTPS only, signed with HMAC-SHA256, and receiver URLs must be public addresses (no SSRF into private ranges — the same guard applies to import sources).

Infrastructure

  • Workloads run on dedicated single-tenant EU cloud infrastructure; data residency is EU.
  • The operational tooling fails closed: the backend refuses to start with development credentials outside of explicitly insecure local modes, and executors must be configured deliberately rather than defaulting to something permissive.

Honest posture

CapyDB is a young product. There is no SOC 2 report and no HIPAA eligibility today — if your compliance regime requires those, we are not your host yet, and we would rather say so here than in a sales call. The full picture of what procurement can and cannot rely on is in Compliance. Questions about the security model, or something to report: contact support and a human who works on the backend will answer.

Extensions

The Postgres extensions available on CapyDB clusters, how to enable them per database, and why the list is an allowlist.

Compliance

What procurement can rely on today, what certifications do not exist yet, and which direction this is moving. No dates, no badges we have not earned.

On this page

Secrets at restScoped accessTransportInfrastructureHonest posture