Early access

Security & trust

Protections you can check,
not promises to trust.

Every control on this page is machine-verified or physically built into the architecture — you can inspect each one from the outside. Where a certification doesn't exist yet, you'll see that stated too, in the same plain type.

Tenant isolation, verified both ways

Your API key scopes every read, export, and analytic query to your tenant at the SQL level — there is no tenant parameter to get wrong. Isolation isn't a promise: a repeatable production test proves it in both directions, a probe tenant seeing only probe data and the production tenant seeing zero probe leakage. That test exists because it once caught a real leak.

The immutable ledger

Statements are never rewritten and never deleted. Hygiene — excluding test traffic, filtering noise — happens at query time, never by mutating the store. Test traffic is quarantined by construction under a reserved actor namespace, not retagged after the fact. One consequence that matters for security: an incident's blast radius is always reconstructable, because the record of what happened cannot have been altered.

In transit and at rest

Every request is HTTPS. Statements are stored in Postgres (Neon), reached only through the ingestion path — the API worker never writes statement bodies directly. Tenant metadata (keys, profiles) lives separately from the statement ledger, so the two are never confused.

Keys and secrets

Tenant keys travel as Authorization: Bearer and are revocable immediately. Internally, secrets move by file reference, never inline in logged commands, and any credential that could have transited a log is rotated. If you suspect a key is exposed, tell us and we revoke it on the spot.

Your data, always exportable

GET /export streams your entire ledger as open-format NDJSON on every tier — the same tenant-scoped isolation applies, so an export physically cannot contain another tenant's data. This is both the no-lock-in guarantee and the raw material for a GDPR access request or EU AI Act record-keeping. See Export & evidence and the EU AI Act page.

Sub-processors

The infrastructure that runs Empress, and what each part holds:

ProviderRoleRegion
CloudflareWorkers (API compute), Pages (this site), D1 (tenant metadata)US / global edge
NeonPostgres — the canonical immutable statement storeUS
Fly.ioHosts the LRS (xAPI ingestion front door) that writes to NeonUS
ClerkAuthentication for the dashboard only — never present in xAPI statementsUS

What you won't find here

No SOC 2, no ISO 27001, no third-party attestation — yet, and no badge appears on this page before it's earned. What you get today is the property those audits exist to check: a complete, immutable, isolated, exportable record you can inspect yourself. When formal certification is underway, this page will say exactly where it stands.

Reporting a vulnerability

Found a weakness, or a leaked key? Email [email protected] with the subject "SECURITY". We read it directly, we won't take legal action against good-faith research, and we'll tell you what we found and fixed.