Security & continuity
We can't show you a compliance badge or a decade of history. What we can show you is an architecture where one tenant's breach is never everyone's, the complete list of who touches your data, and an exit you can run with one curl.
how it's built
who touches your data
This is the complete list. Four companies, and exactly what each one sees.
| subprocessor | runs | sees |
|---|---|---|
| Vercel | the control plane (this site + dashboard) | account emails, project names, billing state. Never analytics events. |
| Neon | the control-plane Postgres | the same: accounts, orgs, plans. Never analytics events. |
| Fly.io | tenant instances + their volumes | your analytics events live here, in one isolated app per project. |
| Dodo Payments | billing and invoices | payment details. Card numbers never touch our servers. |
no analytics-event data ever touches the control plane. events live only in your project's instance.
Your exit is built in
# your entire dataset, one curl (CSV or JSONL) curl -H "Authorization: Bearer $KEY" \ "https://YOUR-INSTANCE/v1/export?format=jsonl" > events.jsonl
The JSONL round-trips straight into the MIT self-host binary. It is the same engine the cloud runs, so leaving is a 10-minute operation, not a data hostage negotiation.
continuity, in plain words
smolanalytics is built and run by one person today. You should price that in, so here is the commitment, in writing:
- · If the cloud ever shuts down, you get 90 days notice.
- · Exports stay up the whole 90 days.
- · The open-source binary runs your exported data identically, forever. Same engine, MIT license, no cloud required.
The API and on-disk formats are frozen, additive-only surfaces, and that policy is public: read the stability policy and the storage design on GitHub.
report a vulnerability
Found something? Please report it privately, not in a public issue. The process is in SECURITY.md. For anything this page didn't answer, check the live status or email karjunvarma2001@gmail.com.