Trust & security

You’re handing us your Stripe keys and your database. Here’s exactly what we do with them.

ParityRail reconciles what your billing promised against what your app actually grants. That means we hold credentials to your production systems — so trust isn’t a feature here, it’s the product. This page lays out the guarantees, the subprocessors, and the honest state of our compliance posture.

Read-only by default

We read your Stripe account and app database. Writes only happen through a repair you explicitly approve, on a single row, within a column allowlist.

Encrypted end to end

Credentials are sealed with AES-256-GCM before storage and never shown back to you. Everything travels over TLS.

Strict tenant isolation

Every page, action, and API route runs a tenancy check first. One workspace can never see another's data.

Append-only audit log

Every change is written to a ledger the database itself won't let us edit or delete after the fact.

Scoped API keys

Keys are stored as SHA-256 hashes, scoped to an org or a single project, and split into read vs. repair capability.

Honest posture

We are not SOC 2 certified yet. Below is exactly where we stand and where we're headed — no theater.

Access

What data ParityRail accesses

ParityRail connects to two systems per project, and the access it requests is deliberately minimal:

  • Stripe — read only. You provide a restricted Stripe key with read scopes. Our connector makes no write calls to Stripe, ever. We read customers, subscriptions, prices, and entitlements to compute what access each payment promised.
  • Your app database — read only by default. You connect a Postgres role granted only SELECT. On top of that, every read connection sets default_transaction_read_only = on — a database-level lock, not just a permission we ask you to trust.
  • Narrow repair grants — opt-in. If you enable repairs, you provide a separate role that may write only to the specific plan, premium, trial, and entitlement columns your mappings name. Repairs are single-row, parameterized, and approved by a human by default.

We do not ask for, and have no use for, your application source code, your customers’ passwords, or any table outside the mappings you configure.

Encryption

Encryption at rest and in transit

Your secrets — Stripe API keys, database connection strings, webhook signing secrets — are sealed with AES-256-GCM using a server-side key before they ever touch storage. Sealed values are versioned, and the plaintext never returns to the browser. The dashboard only shows non-secret identifiers, like a database host and name.

All traffic — between you and ParityRail, and between ParityRail and your systems — is encrypted in transit with TLS.

Isolation

Tenant isolation

ParityRail is multi-tenant: one system serving every customer’s workspace. Keeping workspaces apart is enforced as a hard rule.

  • Every project-scoped page, server action, and API route passes a tenancy check before it does anything.
  • A request for a project you can’t reach is indistinguishable from a request for one that doesn’t exist — we never confirm or deny what we can’t show you.
  • API keys are hashed with SHA-256 (the plaintext is shown once, at creation), scoped to your organization or a single project, and carry an explicit capability — read for read-only API and MCP access, or repair for approving and executing mutating actions.

Auditability

Append-only audit log

Every state-changing operation — a repair executed, an incident ignored, a verification result — is written to an audit log with the actor, the target, and the before/after state. Each entry is chained to the previous one with a hash.

The append-only guarantee is enforced by the database itself: triggers reject any attempt to UPDATE or DELETE an audit row. Not even ParityRail can rewrite history. Your per-customer Access Ledger is built directly from this record, so the story behind any promise is traceable and audit-ready.

Subprocessors

Who else touches the data

ParityRail relies on a short list of infrastructure subprocessors. We keep it small on purpose.

SubprocessorPurposeRegion
VercelApplication hosting and serverless computeUnited States
Managed Postgres hostParityRail's own database (your encrypted credentials, incidents, audit log)United States
ResendTransactional and alert email deliveryUnited States

The current list also lives in our data processing addendum. We’ll post material changes there before they take effect.

Retention

Data retention, deletion, and export

  • State snapshots captured during reconciliation are retained on a rolling 90-day window and pruned automatically after that.
  • Incidents and audit records are retained for the life of your workspace so your Access Ledger stays complete and audit-ready.
  • Deletion. Deleting a project removes its configuration and connected credentials. On request, we will delete a workspace and its associated data; write to security@parityrail.com.
  • Export.Your data is yours. Incidents and audit history are available through the API, and we’ll help with a full export on request.

Response

Incident response & reporting

If you believe you’ve found a vulnerability, or you suspect a security incident involving ParityRail, email security@parityrail.com. We aim to acknowledge reports within two business days and will keep you updated as we investigate.

Our machine-readable contact details follow the security.txt standard. Please give us a reasonable window to remediate before any public disclosure — we’ll work with you in good faith.

Compliance

Our compliance posture — honestly

ParityRail is not SOC 2 certified today, and we won’t claim otherwise. We’d rather tell you exactly where we stand than imply a badge we haven’t earned.

What’s already true today:

  • Read-only access to your systems, enforced at the database and at Stripe.
  • Credentials encrypted at rest with AES-256-GCM; TLS in transit.
  • Strict tenant isolation on every request path.
  • A tamper-evident, append-only audit log enforced by the database.
  • Role-based access and hashed, capability-scoped API keys.

Where we’re headed:

  • Formalizing our controls and pursuing SOC 2 Type II as we grow. We’ll update this page as milestones land.
  • A signed DPA is available now — see /legal/dpa.

Have a security questionnaire or need something in writing? Reach out to security@parityrail.com — we answer these directly.