# SOC 2 & Our Security Program

> Where Railbase stands on SOC 2, the controls we run today, our data boundary, and how to report a vulnerability.

_Updated: 2026-07-04_

## SOC 2 status

Railbase (operated by **Silkway Tech, LLC**) does **not** currently hold a formal
SOC 2 report. We are honest about that. What we do maintain is a **SOC 2-aligned
control program** mapped to the AICPA Trust Services Criteria (Security), with the
controls below implemented in code and covered by automated tests.

A formal **SOC 2 Type I** examination can be initiated when an enterprise
procurement process requires it. We can share a security packet on request.

## Controls we run today

| Area | What's in place |
| --- | --- |
| **Access control** | Separated administrator and application identities; role-based access control; **mandatory two-factor authentication** for operator accounts (TOTP + one-time recovery codes). |
| **Encryption** | Vault storage is encrypted at rest (XChaCha20-Poly1305) with pluggable KMS (AWS/GCP/HashiCorp/HSM). Plugin bundles are encrypted at rest and only decrypted when licensed. |
| **Software integrity** | Every core binary and plugin is signed (Ed25519) and verified by SHA-256 + signature against pinned vendor keys before it runs. Plugins pass a blocking install-time contract check. |
| **Licensing** | Unpaid, expired or revoked plugin code is never decrypted or executed (fail-closed at the execution point). |
| **Tenant isolation** | Tenant-scoped data access; the storage layer keeps each tenant physically separate. |
| **Audit** | Tamper-evident, hash-chained audit trail with independent verification. |
| **Change management** | All changes go through version control and automated test gates in CI (core, Vault and the distribution service). **Core** release builds are signed with cosign and carry SLSA build provenance; every plugin bundle is signed and verified before it runs. |
| **Backups** | **Vault** produces consistent, crash-safe backups and verifies restores (fault-injection tested). The **railbase.app** service takes snapshot-consistent database backups; a documented restore drill and offsite retention are in progress. |

We continue to close the gap between this program and a formal report — including
governance documentation, dependency scanning, and periodic control reviews.

## Data boundary

For **self-hosted** deployments, your operational data lives in **your own** Vault
file on **your** infrastructure. Silkway Tech does not receive it.

**railbase.app** — the distribution, licensing and billing service — holds only
commerce data it needs to sell and license Railbase (account email, subscription
and license records, payment metadata processed by Stripe, and sanctions-screening
results). It never receives your business application data.

## Reporting a vulnerability

Please report security issues privately to **security@railbase.app** — do not open
a public issue. See our [security.txt](/.well-known/security.txt) and full
[security policy](https://github.com/railbase/railbase.app/blob/main/SECURITY.md).
We aim to acknowledge within 3 business days.
