Security & Trust

Your metrics stay private until you choose to publish them.

MRR Calendar combines revenue, code, traffic, and social data. This page documents the controls implemented around credentials, access, outbound connections, public surfaces, and operational visibility.

Responsible disclosure

Found a security issue? Send reproducible details privately. Please do not access other users' data or disrupt the service while testing.

Report a vulnerability

Implemented controls

Concrete safeguards in the product today.

Restricted Stripe access

MRR Calendar accepts restricted Stripe keys and rejects full secret keys. Required read permissions are verified before a source is connected.

Encrypted connection secrets

API keys and OAuth tokens are encrypted with authenticated encryption before database storage and are not returned to the browser after setup.

Private by default

Account dashboards and imported source data remain authenticated. Public page, feed, leaderboard, widget, and publishing controls are separate opt-ins.

Request and ownership controls

Authenticated routes enforce resource ownership. Mutations use origin checks and shared Dragonfly rate limits; sensitive audit events are logged.

Guarded outbound access

Website previews validate DNS and redirects. AWTRIX keeps intentional private-network support while cloud metadata and link-local targets remain blocked.

Observable background work

Imports and scheduled publishing run through explicit queues, status events, retries, and admin diagnostics instead of hidden browser work.

Visibility boundaries

Publishing is explicit and scoped.

SurfaceDefaultOwner control
Private dashboardPrivateAuthenticated account and source ownership
Public pageOffEnable page and choose the project/source scope
Feed and leaderboardOffIndependent participation toggles
Embeddable widgetOffCreate a widget and choose metric, theme, and scope
X profile and AWTRIX publishingOffConnect a destination, configure content, then enable delivery
Public-page analyticsOffVisitor consent; decline creates no identifier or event

Service providers

Providers are tied to a product purpose.

Optional integrations only receive requests after they are configured or authorized. Infrastructure providers may change as the service evolves; the Privacy Policy will be updated when processing materially changes.

Stripe

Subscription billing and optional revenue data source

UseSend

Transactional and report email delivery

Cloudflare R2/CDN

Avatar, logo, and generated public asset storage

Plausible

Optional aggregate website analytics and connected traffic data

Google and GitHub

Optional authentication

GitHub, X, LinkedIn, Reddit

Optional code and social integrations

MySaaS.Blog and MySaaS.Lol

Optional content and audience integrations

Ahrefs

Optional domain-rating lookup

Current assurance level

This page documents implemented product controls. MRR Calendar does not currently claim SOC 2, ISO 27001, a formal uptime SLA, or an independently published penetration-test certification. Such claims will only appear here after they are actually obtained.

Data and legal requests

Review the Privacy Policy for data categories, analytics consent, retention, recipients, and rights. Use the contact page for access, deletion, security, or processor questions.