Every Macaly project starts with secure foundations built in. Encryption, EU hosting, authentication, isolated databases, and edge protection come ready out of the box. This page explains what runs in the background so you don’t have to set it up, and what stays with you as the person publishing the project.Documentation Index
Fetch the complete documentation index at: https://www.macaly.com/docs/llms.txt
Use this file to discover all available pages before exploring further.
How security works on Macaly
Security in any web application involves both the platform underneath it and the person building on top. Macaly takes care of the infrastructure layer: hosting, encryption, the authentication library, edge protection, isolated databases, and ongoing security updates. You stay in charge of the application layer: what data your project stores, who can access it, and how your end users are informed. This split means you don’t need to set up servers, certificates, or auth libraries from scratch. It also means decisions about your data and your users stay with you, where they belong.When your project stores personal data about your end users, Macaly acts as a data processor and you remain the data controller. Full details are in our DPA.
What’s built in
Hosting and data residency
Published projects are hosted on Vercel’s EU region (Frankfurt). Databases run on Convex EU West (Ireland). Both sit behind Cloudflare’s edge network, which serves content from servers closer to your visitors and mitigates attack traffic before it reaches your project. Each Macaly project gets its own isolated database, so data from one project is never mixed with another.Encryption
Data is encrypted in transit and at rest:- HTTPS is enforced on every published project
- Data at rest is encrypted at our hosting and database providers
- Sensitive credentials used internally by Macaly are encrypted before storage
Authentication
Macaly’s built-in authentication uses an industry-standard library that handles password hashing, session management, and one-time codes. Two methods are available:- OTP login for passwordless email-code authentication
- Email and password login with signup, verification, and reset flows
Secure-by-default agent
The Macaly agent is guided by built-in practices that apply across every project. Authentication, database access patterns, secrets handling, and integration setup follow established defaults rather than being assembled from scratch each time. You can also ask the agent at any time to walk you through how a specific part of your project is protected, or to adjust something based on your needs. See Building secure apps for practical guidance.Edge protection and updates
Cloudflare’s edge network and Vercel’s platform protections handle common abuse patterns automatically, including DDoS mitigation and basic bot filtering. Security-relevant fixes to our infrastructure and underlying dependencies roll out across all projects continuously, so you don’t need to track or apply patches yourself.What’s in your hands
When you publish a project on Macaly, the application itself is yours. A few things naturally stay with you, since they depend on your project and your users.Data and compliance
You decide what data your project collects and stores. Compliance with GDPR, the CCPA, and other laws applicable to your end users is something to plan for as part of building. In practice, this usually means:- Letting your users know how their data is handled
- Adding a privacy policy if your project collects personal data
- Including a cookie banner if your project serves EU visitors
- Being able to handle user requests for access, correction, and deletion
Your application’s access controls
The agent can build authentication, role-based access, and ensure each user only sees their own data. How these are set up for your project, and who sees what, is part of describing what you want. The next page, Building secure apps, covers how to do this well.Backups
Customer Data is yours, so backing it up is also up to you. Macaly offers two ways to do this:- GitHub integration (Pro plan and above) backs up your project’s source code to a private repository
- Duplicating chats creates an independent copy of your project as a safety point before larger changes
AI features in your app
If your project includes AI features for end users, such as chatbots, content generation, or summarization, the configuration and the outputs they produce are part of your project. We recommend letting your end users know when they are interacting with AI-generated content.Payments
Macaly is not a payment processor and does not store or transmit card data. If your project accepts payments, use a hosted payment provider that handles cards on its own infrastructure. Avoid storing card numbers, CVCs, or other raw payment data in your project’s database.When Macaly is the right fit
Macaly is built for marketing websites, landing pages, internal tools, dashboards, MVPs, and small to medium web applications. It works well for projects where you want to move quickly and iterate based on real feedback. For projects involving highly regulated data, additional compliance work may be needed beyond what Macaly handles by default. This includes:- Healthcare data covered by HIPAA or similar regulations
- Raw payment card data subject to PCI DSS
- Apps directed at children under 13 (COPPA) or under 18