Security
Last updated: March 2026
Infrastructure Security
- Hosted on Railway (US-based) with managed infrastructure
- PostgreSQL database managed by Railway with automated backups
- S3-compatible object storage via Railway Buckets for all uploaded documents
- HTTPS enforced on all endpoints
- Automated deployments from the
mainbranch via Railway
Encryption
- In transit: TLS 1.2+ enforced on all connections
- At rest: AES-256 encryption via SSE-S3 for all stored documents
- Database encryption managed by Railway's PostgreSQL service
Data Backup & Recovery
- Database backups managed by Railway (frequency and retention depend on Railway's plan tier)
- Document storage (S3-compatible) provides built-in redundancy
- Recovery procedures available through Railway's managed infrastructure
Authentication & Access Control
- Clerk for authentication (SOC2 Type II certified)
- Session-based auth with secure, HTTP-only cookies
- API key authentication for the CLI — keys stored as SHA-256 hashes
- Role-based access control (
USER/ADMIN) - Item-level ownership enforcement — users can only access their own documents
- Multi-factor authentication (MFA) available through Clerk
Vendor Security
We carefully vet our vendors for security and compliance. See our full subprocessor list for details.
| Vendor | Compliance |
|---|---|
| Clerk | SOC2 Type II |
| PostHog | SOC2 Type II |
| Railway | SOC2 Type II |
| Polar | GDPR self-certified* |
Vendor compliance certifications are based on their published documentation as of March 2026. *GDPR compliance is self-reported by the vendor and has not been independently verified.
Change Management
- Git-based development workflow with pull requests for code changes
- Production deployments are automated via Railway and triggered from the
mainbranch - Full git history provides audit trail for all code changes
Incident Response & Breach Notification
As a small team, we do not yet have a formally documented incident response plan. However, in the event of a security incident or data breach, we are committed to:
- Investigating promptly using application and infrastructure logs
- Notifying supervisory authorities within 72 hours as required by GDPR Art. 33
- Notifying affected users without undue delay per GDPR Art. 34
- Notifying affected California residents within the most expedient timeframe per CCPA
- Email notification for all material breaches
- Post-incident review and remediation
Formalized incident response runbooks and proactive monitoring are on our SOC2 roadmap (see below).
Compliance
CandleKeep is designed to align with GDPR (EU) and CCPA (California) requirements.
Our compliance controls include:
- Privacy policy
- Cookie consent mechanism (opt-in)
- Data subject rights handling via email (access, deletion, portability requests)
- Data retention policy
- Subprocessor transparency
SOC2 Roadmap
We are working toward SOC2 certification. The controls listed below reflect our current security practices, which have not yet been independently audited:
- Access control: Clerk authentication + role-based access (RBAC)
- Encryption: TLS 1.2+ in transit, AES-256 at rest
- Monitoring: Railway infrastructure logs and PostHog product analytics
- Change management: Git-based workflows with automated Railway deployments
Planned enhancements:
- Formal access reviews
- Annual penetration testing
- Expanded audit logging
- Vendor risk assessments
- Centralized security logging and monitoring
- Documented incident response runbooks
- Employee security awareness training
Responsible Disclosure
We welcome security researchers who discover vulnerabilities in CandleKeep. If you find a security issue, please email [email protected].
We commit to:
- Acknowledging reports within 48 hours
- Providing regular status updates on reported issues
- Not pursuing legal action against researchers acting in good faith
Enterprise
For custom security agreements, Data Processing Agreements (DPAs), or compliance questionnaires, contact [email protected].