Capsule never touches your data.
The agent runs on your server. Your credentials stay on your server. We only ever receive encrypted ciphertext — and we don't have the key to read it.
What happens when you run a backup
- 01
You connect a database — credentials are saved locally on your server, encrypted on disk.
- 02
Capsule runs pg_dump / mysqldump / mongodump on your server using those local credentials.
- 03
The dump output is AES-256-GCM encrypted on your server using a key derived locally.
- 04
The encrypted file is uploaded to Capsule's cloud. Only ciphertext leaves your server.
- 05
Your plaintext data never leaves your server — at any point in this process.
Visibility
What Capsule can see
- ✓Your email address
- ✓The nickname you give your server
- ✓Number of database connections
- ✓Backup timestamps and file size
Cannot see
- ✗Your database credentials
- ✗Your database schema or tables
- ✗Your actual data
- ✗Your encryption key
Security measures
Built for paranoid engineers.
Every layer of Capsule is designed with the assumption that you shouldn't have to trust us.
AES-256-GCM encryption
Every backup is encrypted client-side before upload using AES-256-GCM. The key is derived locally and never transmitted.
Credentials never transmitted
Database credentials are stored on your server only, encrypted at rest. They are never sent to Capsule's API or cloud.
Agent runs on your server
Capsule's servers never initiate connections to your database. The agent pulls, encrypts, and pushes — all locally.
SHA-256 integrity checks
Every backup file is checksummed before upload and verified on restore. Corrupted or tampered files are rejected.
TLS in transit
All communication between the agent and Capsule's API is encrypted in transit over TLS. No plain-text API calls.
Minimal footprint
The agent runs as a normal user — no root or sudo required. It only accesses the databases you explicitly connect.
Verification
Don't take our word for it.
Every claim on this page is verifiable. Here's how to inspect the agent's network behaviour yourself.
Monitor traffic
Watch exactly what the agent sends
Run this on your server while Capsule performs a backup. You'll see TLS-encrypted traffic to api.trycapsule.xyz only — nothing else. The volume will match your backup size.
Lock the agent to our API only
Add these firewall rules to enforce what the agent can reach. It only needs port 443 to api.trycapsule.xyz. Any attempt to connect elsewhere will be blocked.
The agent requires no inbound connections — you can block all external inbound traffic without affecting Capsule.
Inspect & enforce
Trace every syscall
See every network connection the agent makes at the kernel level — including destination IPs before TLS wraps them.
Inspect the binary
Extract all hardcoded strings from the binary. You can verify the only domains present are Capsule's — no hidden endpoints.
Enforce at the service level
Add network restrictions directly to the systemd unit. Enforced by the kernel per-process — more precise than a global firewall rule.
Run sudo systemctl daemon-reload && sudo systemctl restart capsule after editing.
Stop hoping. Start knowing.
Your databases deserve better than hoping nothing goes wrong.
Capsule takes 60 seconds to install and runs quietly in the background. Free for individual developers, forever.