Railbase
GPTClaude

SOC 2 & Our Security Program

Where Railbase stands on SOC 2, the controls we run today, our data boundary, and how to report a vulnerability.

Updated

SOC 2 status

Railbase (operated by Silkway Tech, LLC) does not currently hold a formal SOC 2 report. We are honest about that. What we do maintain is a SOC 2-aligned control program mapped to the AICPA Trust Services Criteria (Security), with the controls below implemented in code and covered by automated tests.

A formal SOC 2 Type I examination can be initiated when an enterprise procurement process requires it. We can share a security packet on request.

Controls we run today

Area What's in place
Access control Separated administrator and application identities; role-based access control; mandatory two-factor authentication for operator accounts (TOTP + one-time recovery codes).
Encryption Vault storage is encrypted at rest (XChaCha20-Poly1305) with pluggable KMS (AWS/GCP/HashiCorp/HSM). Plugin bundles are encrypted at rest and only decrypted when licensed.
Software integrity Every core binary and plugin is signed (Ed25519) and verified by SHA-256 + signature against pinned vendor keys before it runs. Plugins pass a blocking install-time contract check.
Licensing Unpaid, expired or revoked plugin code is never decrypted or executed (fail-closed at the execution point).
Tenant isolation Tenant-scoped data access; the storage layer keeps each tenant physically separate.
Audit Tamper-evident, hash-chained audit trail with independent verification.
Change management All changes go through version control and automated test gates in CI (core, Vault and the distribution service). Core release builds are signed with cosign and carry SLSA build provenance; every plugin bundle is signed and verified before it runs.
Backups Vault produces consistent, crash-safe backups and verifies restores (fault-injection tested). The railbase.app service takes snapshot-consistent database backups; a documented restore drill and offsite retention are in progress.

We continue to close the gap between this program and a formal report — including governance documentation, dependency scanning, and periodic control reviews.

Data boundary

For self-hosted deployments, your operational data lives in your own Vault file on your infrastructure. Silkway Tech does not receive it.

railbase.app — the distribution, licensing and billing service — holds only commerce data it needs to sell and license Railbase (account email, subscription and license records, payment metadata processed by Stripe, and sanctions-screening results). It never receives your business application data.

Reporting a vulnerability

Please report security issues privately to security@railbase.app — do not open a public issue. See our security.txt and full security policy. We aim to acknowledge within 3 business days.

Was this page helpful?Thanks for your feedback!