walwardenProofBlogRoadmapDocsSign in

Backup independence for Postgres — across every provider you run.

Walwarden runs scheduled backups of your Supabase and Neon databases into storage you own, with signed restore evidence your SOC 2 auditor accepts — with AWS RDS/Aurora on the roadmap. This page tracks exactly what ships today, what ships next, and what we do not claim — so copy and code stay in lockstep.

Shipping today

  • WorkOS-backed sign-in (magic link + 6-digit passcode), with first-user onboarding to a fresh team. (#17)
  • Postgres control plane with hash-chained Audit chain, append-only by SQL trigger. (#18)
  • Production deploy on Fly.io (control plane + worker), at walwarden.com, with credential firewall. (#19)
  • Dashboard hero: per-team RPO + loss window + restore readiness card. (#49)
  • Per-database Recoverability detail page: RPO target/observed, missed schedules, restore-drill outcomes. (#50)
  • Operator-driven restore via the walwarden CLI: dashboard issues a short-lived token, pg_restore runs on your machine, every state transition lands on the audit chain. (#251)
  • Offline Evidence bundle verifier CLI: Ed25519-signed Manifest, public-key publish, verifies without phoning home. (#52)
  • Cron schedule builder with timezone selection. (#53)
  • Members page: invite-by-email, admin/member roles, pending → active upgrade on first sign-in. (#56)
  • Friendly auth-error UX: typed AuthError → on-page error card instead of a Next.js stack trace. (#30)

Shipping next

  • AWS RDS / Aurora as a protected-database providerPhase 1.5 — Supabase and Neon ship today. The provider schema keeps the RDS/Aurora enum ready, but the backup path has not shipped, so we do not claim RDS/Aurora as a current provider.
  • Automated restore drills (ephemeral targets)Drill scheduling and the drill state machine exist in the product today, but ephemeral drill targets have not shipped — restore drills are operator-driven via the CLI.
  • WAL streaming + true PITRPhase 1.5 — explicitly out of v0 per the Q3.3 amendment. Until WAL streaming exists, our PITR claim is our roadmap, not our product.
  • BYO Google Cloud Storage / Backblaze B2 destinationsPhase 1.5+. v0 supports customer-owned AWS S3 only; the destination boundary is generic so additional providers slot in.
  • Walwarden-managed storage tier (no bring-your-own S3)Low-friction onboarding: walwarden provisions and operates the bucket, so you never hand-edit an IAM trust policy. Honest tradeoff — managed mode means walwarden holds the dump bytes, which weakens the "backup independence from a provider you do not fully trust" wedge; BYO S3 stays the trust-boundary-strongest path. Not yet shipped (issue #200, ADR 0011); the data model carries the mode but managed creates are gated off until provisioning automation and the storage/egress pricing passthrough land.
  • WorkOS SSO / SCIM provisioningPaid-tier feature. Multi-team sign-in falls back to the user’s primary team today (issue #95).
  • Evidence bundle viewer in the control planeTracking Issue #58. Today the offline verifier CLI is the canonical surface; an in-app viewer ships next.

What we do NOT claim today

  • Continuous PITR (until WAL streaming ships).
  • HIPAA BAA-signing.
  • SOC 2 Type II attestation on walwarden itself.
  • In-place restore for managed Postgres (Supabase, Neon) — managed-Postgres restore is always new-database + cutover; in-place is self-hosted only.
  • Backup of Postgres instances larger than 500 GB compressed dump in v0 (verification economics break above that size).

We will not add the word “PITR” to your invoice until WAL streaming is in your account.

Walwarden roadmap — what ships today, what ships next