Restricted Stripe access
MRR Calendar accepts restricted Stripe keys and rejects full secret keys. Required read permissions are verified before a source is connected.
Security & Trust
MRR Calendar combines revenue, code, traffic, and social data. This page documents the controls implemented around credentials, access, outbound connections, public surfaces, and operational visibility.
Responsible disclosure
Found a security issue? Send reproducible details privately. Please do not access other users' data or disrupt the service while testing.
Report a vulnerabilityImplemented controls
MRR Calendar accepts restricted Stripe keys and rejects full secret keys. Required read permissions are verified before a source is connected.
API keys and OAuth tokens are encrypted with authenticated encryption before database storage and are not returned to the browser after setup.
Account dashboards and imported source data remain authenticated. Public page, feed, leaderboard, widget, and publishing controls are separate opt-ins.
Authenticated routes enforce resource ownership. Mutations use origin checks and shared Dragonfly rate limits; sensitive audit events are logged.
Website previews validate DNS and redirects. AWTRIX keeps intentional private-network support while cloud metadata and link-local targets remain blocked.
Imports and scheduled publishing run through explicit queues, status events, retries, and admin diagnostics instead of hidden browser work.
Visibility boundaries
| Surface | Default | Owner control |
|---|---|---|
| Private dashboard | Private | Authenticated account and source ownership |
| Public page | Off | Enable page and choose the project/source scope |
| Feed and leaderboard | Off | Independent participation toggles |
| Embeddable widget | Off | Create a widget and choose metric, theme, and scope |
| X profile and AWTRIX publishing | Off | Connect a destination, configure content, then enable delivery |
| Public-page analytics | Off | Visitor consent; decline creates no identifier or event |
Service providers
Optional integrations only receive requests after they are configured or authorized. Infrastructure providers may change as the service evolves; the Privacy Policy will be updated when processing materially changes.
Stripe
Subscription billing and optional revenue data source
UseSend
Transactional and report email delivery
Cloudflare R2/CDN
Avatar, logo, and generated public asset storage
Plausible
Optional aggregate website analytics and connected traffic data
Google and GitHub
Optional authentication
GitHub, X, LinkedIn, Reddit
Optional code and social integrations
MySaaS.Blog and MySaaS.Lol
Optional content and audience integrations
Ahrefs
Optional domain-rating lookup
This page documents implemented product controls. MRR Calendar does not currently claim SOC 2, ISO 27001, a formal uptime SLA, or an independently published penetration-test certification. Such claims will only appear here after they are actually obtained.
Review the Privacy Policy for data categories, analytics consent, retention, recipients, and rights. Use the contact page for access, deletion, security, or processor questions.