Trust

Security

Your METRC keys, your compliance records, and your facility's data are some of the most sensitive things a cultivator holds. Here's how we protect them — built by people who run a real grow and have their own license on the line.

Last updated: June 8, 2026 Status: Private beta Report an issue: support@carinaos.com

01 Our approach

CarinaOS runs on a live, licensed cultivation facility every day — ours. That means we feel any security weakness before our customers do, and we have the same regulatory exposure you do. Security here isn't a checkbox; it's self-interest.

This page is an honest snapshot of where we are as an early-stage platform in private beta. We'll keep it current as our controls mature.

02 Encryption

  • In transit: all traffic to carinaos.com and app.carinaos.com is served over HTTPS/TLS. Connections to METRC and your sensor platforms are encrypted.
  • At rest: your data is stored in managed databases and object storage with encryption at rest enabled.
  • Passwords are never stored in plaintext — only as salted hashes handled by our authentication provider.

03 Tenant isolation

CarinaOS is multi-tenant by design. Every facility is a separate tenant with isolated credentials, sensor configuration, and METRC keys.

  • Database access is governed by row-level security policies, so one tenant's queries cannot reach another tenant's records.
  • Each facility's compliance keys and sensor configuration are scoped to that tenant alone.
  • Per-tenant sync jobs run with that tenant's credentials and write only to that tenant's data.

04 Credential handling

Your METRC and sensor API keys are stored as encrypted secrets and are never displayed back in the interface, included in logs, or exposed to other tenants. They're used only to make the authorized calls you've configured.

Sync logic runs server-side on isolated edge workers, so credentials are never shipped to the browser. You can rotate or remove a connected key at any time, which immediately stops the associated syncs.

05 Authentication

Sign-in is handled by a managed authentication provider (Supabase Auth) using industry-standard session tokens. Sessions are scoped to your tenant, and you can sign out to revoke a session. We recommend a strong, unique password for your account.

06 Payment security

Billing is processed by Stripe, a PCI-DSS Level 1 provider. Card data is handled directly by Stripe — CarinaOS never sees or stores full card numbers. We store only the subscription metadata needed to manage your plan.

07 Infrastructure

  • Edge compute & sync: Cloudflare Workers run scheduled, per-tenant sync jobs and API integrations.
  • Data & auth: Supabase provides the database and authentication layer with row-level security.
  • Static hosting: the marketing site is served from AWS S3 behind CloudFront.
  • We rely on reputable providers that maintain their own audited security and compliance programs.

08 Access & monitoring

  • Administrative access to production systems is limited to the minimum personnel needed to operate the service.
  • We monitor sync jobs and platform health, and review logs to detect and debug anomalies.
  • Secrets are managed through our providers' secret stores rather than embedded in code.

09 Responsible disclosure

If you believe you've found a security vulnerability, we want to hear from you. Email support@carinaos.com with details and steps to reproduce. Please give us a reasonable window to investigate and fix before any public disclosure, and don't access or modify data that isn't yours while testing. We'll acknowledge your report and keep you posted on the fix.

10 Contact

Security questions, or want detail for a vendor review? Reach us at support@carinaos.com.