Security
We hold your last line of defense. Here's how we treat it.
Firedrill exists because untested guarantees fail. The same philosophy runs through our security: enforced by code, exercised continuously, and verifiable — not promised.
Read-only access, enforced
Firedrill connects with a read-only role you create. Our preflight actively probes for write ability and refuses the connection if the role can write — it is not possible to onboard a database with a writable credential. We can never modify your data.
CREATE TEMP TABLE → rejected → connection refused
Envelope encryption before anything is stored
Every project has its own 256-bit data key. Backups stream from pg_dump through AES-256-GCM encryption before a single byte reaches object storage — the storage provider only ever holds ciphertext. Data keys are wrapped by a master key that exists only in the worker environment, never beside the data, and can be rotated without re-encrypting archives.
pg_dump → AES-256-GCM (per-project key) → object storage
Connection strings are never stored in plaintext
Your connection string is encrypted in memory on arrival and stored only as ciphertext. No API, dashboard page, or log ever returns it after creation — it is a write-only field. Log pipelines carry an explicit redaction list for connection strings, keys, passwords, and tokens.
conn string: write-only · logs: redacted · at rest: ciphertext
Drills run on isolated, disposable infrastructure
Every drill restores your backup onto a dedicated ephemeral Postgres instance that is destroyed immediately after the checks complete. A reaper process independently destroys any instance older than 60 minutes as a backstop. Restored data never persists beyond the drill.
create → restore → 7 checks → destroy (reaper backstop: 60 min)
The pipeline never reports on itself
Every scheduled stage — scheduling, backups, drills, retention — heartbeats an independent external monitor. If any stage goes silent, we get paged. A canary database owned by us runs through the entire pipeline continuously, so the whole path is exercised every few hours, forever.
silence = alert · canary drill-tested every 6h
Payments and secrets hygiene
Payments are processed by Stripe; card numbers never touch our systems. Webhooks are signature-verified. API keys are stored as SHA-256 hashes and shown exactly once. Plan changes flow only through verified Stripe events.
stripe: signature-verified · api keys: sha-256, shown once
Responsible disclosure
Found a vulnerability? Email info@runfiredrill.com with reproduction steps. We respond to every report, credit researchers who want credit, and won't pursue good-faith research that respects customer data.
Questions an auditor would ask? We're happy to answer them directly.