Carryr

Security

Security

Security and trust are foundational to Carryr. Our platform is designed to protect sensitive digital asset information, ensure instructions are followed correctly, and leave a clear, reviewable record of every critical action.

Carryr combines Cloudflare’s edge security with Firebase’s managed identity and data protections to deliver a security posture that is modern, resilient, and continuously monitored.

Our security approach

Carryr is built around three principles:

  • Protect sensitive data at all times
  • Limit access strictly by role and intent
  • Ensure every critical action is verifiable and auditable

We design our systems so that no single step, user, or system can silently bypass safeguards.

Core security controls

Encryption by default

All data is encrypted:

  • In transit using TLS
  • At rest using industry-standard encryption provided by Firebase and Cloudflare-backed infrastructure

Sensitive credentials and access details are never exposed unnecessarily and are handled only within controlled execution workflows.

Identity, authentication, and sessions

Authentication is handled through Firebase Authentication, supporting:

  • email-based authentication
  • optional multi-factor authentication (MFA)
  • secure, short-lived session tokens

Sessions are protected using standard best practices, including token validation and expiry.

Role-based access control

Access is strictly limited based on role:

  • Owner — sets assets and instructions
  • Executor / Trusted contact — optional oversight or approvals
  • Beneficiary — receives assets or proceeds, without unnecessary access

Users can only see or act on what they are explicitly permitted to access.

Edge protection and abuse prevention

Carryr is fronted by Cloudflare, providing:

  • DDoS protection
  • Web Application Firewall (WAF)
  • rate limiting and bot mitigation
  • protection against common web attacks

This ensures the platform remains available and resistant to automated abuse.

Execution integrity

Verified triggers

No execution begins without:

  • confirmation that defined trigger conditions are met
  • identity verification checks
  • system validation of required approvals (where configured)

This prevents premature or unauthorised actions.

Controlled execution workflows

Execution steps are:

  • gated
  • deliberate
  • limited to the minimum access required

Sensitive operations are never performed directly from the client and are handled through secured server-side workflows.

Audit logging and traceability

All sensitive actions are recorded, including:

  • instruction changes
  • approvals and reviews
  • execution steps and outcomes

Logs are immutable and time-stamped, providing a clear chain of events.

Reporting and records

Carryr provides:

  • clear execution summaries
  • downloadable reports (PDF / CSV)
  • audit-ready records suitable for personal, legal, or administrative use

These records help reduce uncertainty and provide transparency to all relevant parties.

Compliance and certifications

Carryr does not claim compliance certifications unless they have been formally achieved.

If and when certifications such as SOC 2 or ISO 27001 are obtained, this page will be updated with:

  • certification scope
  • issuing body
  • effective dates

Responsible disclosure & security contact

We welcome responsible disclosure of security concerns.

For security-related inquiries or to report a vulnerability, please contact us via the Contact page or at a dedicated security email once published.