Security & trust
Most vendor security reviews are a six-week questionnaire against a report you take on faith. Calnode's approach is the opposite: the whole product is small, self-hosted, and every security and privacy claim is published so your engineers can verify it directly.
Security & trust
A SaaS vendor asks you to trust an annual audit report. Because Calnode is small and self-hosted, you can do better: point your own security engineer — or their LLM — at the repo and verify every security and privacy claim in minutes, not weeks.
Every claim we make is published as a claim → verify-it-yourselfmanifest, alongside the audit process itself. Nothing to take on faith — each line points at the code that proves it.
Two rounds of review: deterministic scanners (govulncheck · gosec · gitleaks · semgrep) plus an LLM red-team across six domains — egress tracing, tenant isolation, the auth model, encryption & secrets, injection/SSRF, and booking-flow authorization.
A self-serve audit kit — open and falsifiable, run it against the repo yourself. It is not a third-party attestation (no SOC 2, no external pen-test); it is something you can check directly instead of trusting a certificate.
Self-hosted by design — customer data never leaves your environment except through explicit, named, opt-in integrations. There are no hidden calls home. The complete list of third parties, and only when each applies:
Calnode is free and open source. Self-host it in minutes, or talk to us about a managed deployment for your organisation.
Don't want to host it at all? Join the managed-hosting waitlist — we'll email you when it opens.