Klyrix/ledger
Home

Security overview

Your data, defended end-to-end

A plain-language summary of how we protect tenant data, plus the certifications we have, are working on, and have not yet earned. We publish this page so that procurement, security, and compliance teams can audit our posture without an NDA.

We do not yet hold SOC 2 or ISO 27001. We are in active preparation with a recognised auditor and publish quarterly progress here. Until that work is signed off, treat this page as the authoritative source — not unofficial blog claims.

Technical controls in production

Encryption in transit

TLS 1.2 or higher across every public endpoint. HSTS with two-year preload and includeSubDomains. No HTTP downgrade path.

Encryption at rest

Supabase-managed at-rest encryption for the primary Postgres database. AES-256-GCM envelope encryption (lib/crypto/secret-encryption.ts) for tenant-stored API keys and OAuth tokens. PII field-level encryption is on the Wave 3 roadmap.

Tenant isolation

Postgres row-level security enforces company_id filtering at the database layer — not just the application. Cross-tenant SELECT, UPDATE, and DELETE are blocked by policy and continuously regression-tested.

Tamper-evident audit log

Every state-changing operation lands in an append-only audit_log table. Wave 1 ships a SHA-256 hash-chain so any past-row tampering is detectable by a single verify command. 7-year retention via monthly partitions and archive.

Rate-limit + abuse controls

Per-IP fixed-window gate on the auth surface, backed by Upstash Redis (multi-instance) with a local in-memory fallback. Stripe webhook protected by HMAC + replay window. CSP locked to nonce-based script-src — no unsafe-inline.

Backups + recovery

Supabase point-in-time recovery (rolling 7 days on the default tier; 30-day window for production). DR drill on the live tenant restore path is run quarterly — see docs/runbooks/dr-tenant-restore.md.

Compliance program

  • Data Processing Agreement

    Available

    GDPR Article 28 compliant DPA, drafted to also cover UAE PDPL and Türkiye KVKK. Public version is published; customer-specific addenda available on request.

  • GDPR data subject rights

    Implemented

    Article 17 (erasure) and Article 20 (portability) are self-service from the user profile. A 30-day grace window and audit-trail-preserving redaction protect both the user and the integrity of historical records.

  • SOC 2 Type I

    In preparation

    Vendor selection underway (Vanta / Drata / Secureframe). Target: Type I report within 9 months of plan kickoff, Type II report 6 months thereafter.

  • External penetration test

    Scheduled

    Annual third-party penetration test scoped for the public app, the marketing surfaces, and the admin console. Summary findings published once remediation is verified.

Reporting a vulnerability

Email security@klyrix-ledger.com with reproduction steps. We acknowledge every report and aim for a fix-or-mitigation decision within 90 days. The same details are published in machine-readable form at /.well-known/security.txt.

Looking for more? Read the full DPA or check the live platform status.