Backup independence for Postgres — across every provider you run.
Walwarden runs scheduled backups of your Supabase and Neon databases into storage you own, with signed restore evidence your SOC 2 auditor accepts — with AWS RDS/Aurora on the roadmap. This page tracks exactly what ships today, what ships next, and what we do not claim — so copy and code stay in lockstep.
Shipping today
- WorkOS-backed sign-in (magic link + 6-digit passcode), with first-user onboarding to a fresh team. (#17)
- Postgres control plane with hash-chained Audit chain, append-only by SQL trigger. (#18)
- Production deploy on Fly.io (control plane + worker), at walwarden.com, with credential firewall. (#19)
- Dashboard hero: per-team RPO + loss window + restore readiness card. (#49)
- Per-database Recoverability detail page: RPO target/observed, missed schedules, restore-drill outcomes. (#50)
- Operator-driven restore via the walwarden CLI: dashboard issues a short-lived token, pg_restore runs on your machine, every state transition lands on the audit chain. (#251)
- Offline Evidence bundle verifier CLI: Ed25519-signed Manifest, public-key publish, verifies without phoning home. (#52)
- Cron schedule builder with timezone selection. (#53)
- Members page: invite-by-email, admin/member roles, pending → active upgrade on first sign-in. (#56)
- Friendly auth-error UX: typed AuthError → on-page error card instead of a Next.js stack trace. (#30)
Shipping next
- AWS RDS / Aurora as a protected-database provider — Phase 1.5 — Supabase and Neon ship today. The provider schema keeps the RDS/Aurora enum ready, but the backup path has not shipped, so we do not claim RDS/Aurora as a current provider.
- Automated restore drills (ephemeral targets) — Drill scheduling and the drill state machine exist in the product today, but ephemeral drill targets have not shipped — restore drills are operator-driven via the CLI.
- Logical recovery windows — Planned customer feature. The proof lane already covers full baseline snapshots, supported transaction tailing, restore replay, schema-change resnapshot, cursor-gap fail-closed behavior, and unsupported-shape rejection. Live disposable Neon/Supabase proof and product enablement must land before this becomes a customer-facing recovery-window claim. (#436)
- BYO Google Cloud Storage / Backblaze B2 destinations — Phase 1.5+. v0 supports customer-owned AWS S3 only; the destination boundary is generic so additional providers slot in.
- Walwarden-managed storage tier (no bring-your-own S3) — Low-friction onboarding: walwarden provisions and operates the bucket, so you never hand-edit an IAM trust policy. Honest tradeoff — managed mode means walwarden holds the dump bytes, which weakens the "backup independence from a provider you do not fully trust" wedge; BYO S3 stays the trust-boundary-strongest path. Not yet shipped; the data model carries the mode but managed creates are gated off until provisioning automation and the storage/egress pricing passthrough land. (#200)
- WorkOS SSO / SCIM provisioning — Paid-tier feature. Multi-team sign-in falls back to the user’s primary team today. (#95)
- Evidence bundle viewer in the control plane — Today the offline verifier CLI is the canonical surface; an in-app viewer ships next. (#58)
What we do NOT claim today
- Managed-provider true PITR, continuous backup, or zero-data-loss recovery.
- Customer-facing logical recovery windows until live managed-provider proof and product enablement land.
- HIPAA BAA-signing.
- SOC 2 Type II attestation on walwarden itself.
- In-place restore for managed Postgres (Supabase, Neon) — managed-Postgres restore is always new-database + cutover; in-place is self-hosted only.
- Backup of Postgres instances larger than 500 GB compressed dump in v0 (verification economics break above that size).
Logical recovery windows stay out of customer claims until live managed-provider proof exists; physical PITR stays a provider-native capability, not a Walwarden promise.