SOC 2 & Our Security Program
Where Railbase stands on SOC 2, the controls we run today, our data boundary, and how to report a vulnerability.
Updated
SOC 2 status
Railbase (operated by Silkway Tech, LLC) does not currently hold a formal SOC 2 report. We are honest about that. What we do maintain is a SOC 2-aligned control program mapped to the AICPA Trust Services Criteria (Security), with the controls below implemented in code and covered by automated tests.
A formal SOC 2 Type I examination can be initiated when an enterprise procurement process requires it. We can share a security packet on request.
Controls we run today
| Area | What's in place |
|---|---|
| Access control | Separated administrator and application identities; role-based access control; mandatory two-factor authentication for operator accounts (TOTP + one-time recovery codes). |
| Encryption | Vault storage is encrypted at rest (XChaCha20-Poly1305) with pluggable KMS (AWS/GCP/HashiCorp/HSM). Plugin bundles are encrypted at rest and only decrypted when licensed. |
| Software integrity | Every core binary and plugin is signed (Ed25519) and verified by SHA-256 + signature against pinned vendor keys before it runs. Plugins pass a blocking install-time contract check. |
| Licensing | Unpaid, expired or revoked plugin code is never decrypted or executed (fail-closed at the execution point). |
| Tenant isolation | Tenant-scoped data access; the storage layer keeps each tenant physically separate. |
| Audit | Tamper-evident, hash-chained audit trail with independent verification. |
| Change management | All changes go through version control and automated test gates in CI (core, Vault and the distribution service). Core release builds are signed with cosign and carry SLSA build provenance; every plugin bundle is signed and verified before it runs. |
| Backups | Vault produces consistent, crash-safe backups and verifies restores (fault-injection tested). The railbase.app service takes snapshot-consistent database backups; a documented restore drill and offsite retention are in progress. |
We continue to close the gap between this program and a formal report — including governance documentation, dependency scanning, and periodic control reviews.
Data boundary
For self-hosted deployments, your operational data lives in your own Vault file on your infrastructure. Silkway Tech does not receive it.
railbase.app — the distribution, licensing and billing service — holds only commerce data it needs to sell and license Railbase (account email, subscription and license records, payment metadata processed by Stripe, and sanctions-screening results). It never receives your business application data.
Reporting a vulnerability
Please report security issues privately to security@railbase.app — do not open a public issue. See our security.txt and full security policy. We aim to acknowledge within 3 business days.