Security
The records inside Caliber represent entire careers.
That demands more than a checkbox. Here is exactly how we protect your data — in plain language, no marketing fog.
01 Encryption
AES-256-GCM, client-side.
Every document is encrypted on your device before it ever touches our servers. We use AES-256-GCM — the same standard trusted by banks, governments, and healthcare systems. Keys are derived from your password using Argon2id and never leave your device in plaintext.
02 Zero-knowledge
We cannot read your files.
Zero-knowledge architecture means exactly that: we do not hold the keys to your vault. If someone compelled us to hand over your documents, we could only hand over ciphertext. No backdoor. No master key. No exceptions.
03 Infrastructure
Hardened by default.
Caliber runs on Supabase and Vercel. Database access is gated by row-level security policies. All traffic is TLS 1.3. Secrets are managed through environment isolation. Backups are encrypted at rest.
04 Access control
Your account. Your rules.
Strong password requirements, session rotation, and account-level audit logging. You can review every login and every document access from your settings. Delete your account and every byte is permanently removed.
FAQ
Security questions, answered.
What does zero-knowledge actually mean?
It means your documents are encrypted on your device with a key derived from your password. We store only the encrypted ciphertext. Without your password, neither Caliber, our hosting providers, nor a subpoena can decrypt your files.
What happens if I forget my password?
Because we don't hold your encryption keys, we cannot recover your documents if you lose your password. You can reset your account access, but encrypted documents tied to the old key become unrecoverable. We recommend storing your password in a reputable password manager.
Is Caliber HIPAA compliant?
Caliber is built for individual medical professionals storing their own credentials — not patient data. We apply healthcare-grade security standards (encryption, access logging, data isolation) across the platform. For organization use cases involving PHI, reach out to hello@calibercred.com.
Do you use my documents to train AI models?
No. Your documents are encrypted and we cannot read them. Smart extraction (Pro) processes a document only when you explicitly request it, uses the result solely to populate your credential fields, and is not retained or used for training.
How do I report a security issue?
Email security@calibercred.com with details. We read every report and respond within one business day. Responsible disclosure is appreciated and acknowledged.
Responsible Disclosure
Found a security issue?
Email security@calibercred.com with details. We respond within one business day and credit every report.
Built for the ones who actually do the work.
No credit card. No sales call. No 47-page form.