Security & trust
Protections you can check,
not promises to trust.
Every control on this page is machine-verified or physically built into the architecture — you can inspect each one from the outside. Where a certification doesn't exist yet, you'll see that stated too, in the same plain type.
Tenant isolation, verified both ways
Your API key scopes every read, export, and analytic query to your tenant at the SQL level — there is no tenant parameter to get wrong. Isolation isn't a promise: a repeatable production test proves it in both directions, a probe tenant seeing only probe data and the production tenant seeing zero probe leakage. That test exists because it once caught a real leak.
The immutable ledger
Statements are never rewritten and never deleted. Hygiene — excluding test traffic, filtering noise — happens at query time, never by mutating the store. Test traffic is quarantined by construction under a reserved actor namespace, not retagged after the fact. One consequence that matters for security: an incident's blast radius is always reconstructable, because the record of what happened cannot have been altered.
In transit and at rest
Every request is HTTPS. Statements are stored in Postgres (Neon), reached only through the ingestion path — the API worker never writes statement bodies directly. Tenant metadata (keys, profiles) lives separately from the statement ledger, so the two are never confused.
Keys and secrets
Tenant keys travel as Authorization: Bearer and are revocable
immediately. Internally, secrets move by file reference, never inline in logged
commands, and any credential that could have transited a log is rotated. If you
suspect a key is exposed, tell us and we revoke it on the spot.
Your data, always exportable
GET /export streams your entire ledger as open-format NDJSON on
every tier — the same tenant-scoped isolation applies, so an export physically
cannot contain another tenant's data. This is both the no-lock-in guarantee and
the raw material for a GDPR access request or EU AI Act record-keeping. See
Export & evidence and the EU AI Act page.
Sub-processors
The infrastructure that runs Empress, and what each part holds:
| Provider | Role | Region |
|---|---|---|
| Cloudflare | Workers (API compute), Pages (this site), D1 (tenant metadata) | US / global edge |
| Neon | Postgres — the canonical immutable statement store | US |
| Fly.io | Hosts the LRS (xAPI ingestion front door) that writes to Neon | US |
| Clerk | Authentication for the dashboard only — never present in xAPI statements | US |
What you won't find here
No SOC 2, no ISO 27001, no third-party attestation — yet, and no badge appears on this page before it's earned. What you get today is the property those audits exist to check: a complete, immutable, isolated, exportable record you can inspect yourself. When formal certification is underway, this page will say exactly where it stands.
Reporting a vulnerability
Found a weakness, or a leaked key? Email [email protected] with the subject "SECURITY". We read it directly, we won't take legal action against good-faith research, and we'll tell you what we found and fixed.