§1 · Data in transit
- —All data is transmitted over
HTTPS/TLS 1.3. - —API endpoints enforce
HTTPS, with no plainHTTPfallback.
§2 · Data at rest
- —Training session data is stored in Neon (PostgreSQL) with encryption at rest.
- —Billing data is not stored by Calyber Labs; it is processed and stored by Stripe.
- —No raw card numbers, CVVs, or bank account details are ever transmitted to or stored on Calyber Labs infrastructure.
§3 · Authentication
- —Account authentication is handled by Clerk (clerk.com). Calyber Labs does not store or handle passwords directly.
- —Sessions are
JWTs signed by Clerk, verified server-side on every request. - —Multi-factor authentication is available through the account settings page.
§4 · Data residency
- —Application data is stored in Neon's managed PostgreSQL service. Database region: US East.
- —Vercel edge functions and CDN may cache non-personal content globally.
§5 · Your data
- —Training data export (
CSVandJSON) is on the post-launch roadmap. - —You can permanently delete your account and all associated training data from account settings.
- —Deletion is permanent and irreversible. There is no grace period for recovery after deletion is confirmed.
§6 · Disclosure policy
- —Security vulnerabilities can be reported to
security@calyber.app. - —Calyber Labs does not currently offer a bug bounty program.
- —Confirmed vulnerabilities will be acknowledged within 5 business days and patched in the next release cycle.
- —A machine-readable disclosure policy is available at
/.well-known/security.txt(not yet deployed).