How do I know the release I am downloading is really yours?
Every release is signed with our private Ed25519 key. Your installer verifies the signature against the matching public key (bundled into the `create-cavecms` command itself) before it unpacks anything. Mismatch means the installer refuses, full stop. Same for SHA-256: the hash of every zip is published in our signed manifest, and the installer re-hashes the download before trusting it.
No network round-trip for verification. The public key travels with the installer, so a compromised npm CDN cannot lie about which key signed the build.
What happens if an update breaks my site?
Every in-app update goes through six steps: pre-flight check, snapshot of your database and files, signature-verified download, atomic swap, restart, and a post-flight health check. If the health check fails (or anything earlier does), the snapshot is restored and your site stays on the version it was on a minute ago.
Snapshots live on your own disk. We never see them. Auto-rollback runs without us, even if our update server is down at the moment of failure. You can also undo an update yourself any time by running the cavecms rollback command, which restores the previous version straight from that on-disk snapshot, no internet required.
Where does my data live?
On your server. CaveCMS is self-hosted: your database, your uploads, your domain. We do not have your DB credentials. We cannot read your content. We cannot reach in to your site.
The only thing your install talks to us about is "is there a new release?", and only when an admin loads /admin/settings/updates or you explicitly click Check Now.
Do you collect anything about my visitors?
Nothing by default. CaveCMS ships with every integration off. If you want Google Analytics, Hotjar, HubSpot, or anything else, you opt in by pasting your own ID, and the moment you toggle it off, those origins disappear from our Content Security Policy on the very next request.
No telemetry. No phone-home. No anonymous usage pings. We do not even know how many sites are running.
What about the AI features?
You bring your own Google Gemini API key. Requests go directly from your server to Google. We never see your key, your prompts, or your AI responses. The AI features can be disabled entirely from Settings → AI.
Who can read my admin password?
Nobody: not us, not your hosting provider, not anyone who can read your database. Passwords are hashed with scrypt (a memory-hard KDF) and compared in constant time so timing attacks cannot probe them.
JWTs that authenticate your admin sessions are HS256-signed with a secret generated once at install time and sealed on disk with mode 600. The secret never leaves your server.
What if you go out of business?
You keep using CaveCMS forever. The Prosperity Public License gives you the right to run, modify, and distribute the software for personal and non-profit use without limit. The full source is on GitHub. Your install does not phone home, does not need our servers to function, and cannot be remotely disabled.
There is no kill switch. There is no required cloud account. There is no DRM. If we vanish tomorrow, your site keeps working.
Can I audit any of this?
Yes. Every claim on this page maps to public source code. The signature verification lives in our installer on npm. The CSP integration toggles live in `lib/security/buildCsp.ts`. The password hashing lives in `lib/auth/scrypt.ts`. The update orchestrator is `scripts/cavecms-update.sh`. Open the repo and read.