Hosted on Railway + Supabase
API runs on Railway (Node.js/Express). Records stored in Supabase Postgres with row-level security. No cross-account data access is possible through the API. Self-hosting available under the MIT license for full infrastructure control.
Client-side hashing. Customer-signed records.
Payload hashes are computed client-side before transmission. L3 commits are signed with customer Ed25519 keys before reaching our servers. Tampering is detectable without trusting DarkMatter. Verification requires only the public key.
TLS in transit. RLS in storage.
All API traffic is TLS 1.2+. Authentication uses Supabase JWT or agent API keys. Row-level security enforces account isolation at the database layer. API keys scope access to the owning agent only.
Honest about what we have, and don’t.
We do not hold SOC 2, ISO 27001, or HIPAA BAA at this time. Security questionnaires and current controls documentation available on request. For regulated deployments, the cryptographic verification model provides evidence of record integrity that does not depend on our certification status.
Plaintext by default. BYOK for confidentiality.
Payloads are stored in plaintext by default, same as any cloud service. DarkMatter personnel with database access can read them. BYOK encryption (Enterprise) encrypts before committing so only you can read the content.
Report security issues directly.
If you discover a security issue, email [email protected] with subject “Security disclosure”. We respond within 48 hours and will credit responsible disclosures.
The verification model is open-source.
Download any proof bundle and run the offline verifier. No DarkMatter account. No internet. No trust in us.