A prudent public summary
This page lists operational controls that are safe to describe publicly. Specific configurations are shared with customers under NDA ([contact](/contact)).
Tamper-evident administration
Every admin action lands in an audit log that is itself sealed into a hash chain on a schedule. Editing or deleting a past audit row breaks verification at that exact row — and because seals store the canonical content, a deleted row is even recoverable. This system has caught a real bug in production; we consider that a feature.
Backups that provably restore
Nightly encrypted dumps, and a weekly restore drill: the newest backup is restored into a scratch database and verified against minimum row counts for the load-bearing tables. A drill failure pages the operator. A backup that has never been restored is a hope, not a backup.
Degradation, not outage
Maintenance flips the public site to read-only: every page and API read keeps serving while writes receive a friendly 503 + Retry-After. The admin plane is separate and never gated by the flag.
Self-measured availability
A canary exercises real user paths continuously; [the status page](/network-status) shows the same numbers we see — last 30 days are displayed on [/trust](/trust).
Disclosure
Security contact and policy: [security.txt](/.well-known/security.txt). We acknowledge verified reports and credit reporters who want credit.