Security & GDPR

Infrastructure & Hosting

• Application hosted on Railway (EU region) with automatic TLS
• Database hosted on Supabase (AWS eu-west-2, London)
• All data encrypted at rest (AES-256) and in transit (TLS 1.3)
• Daily automated backups with 30-day retention
• Row Level Security (RLS) enforced on all database tables

Authentication & Access

• Multi-factor authentication (TOTP) available for all accounts
• Session management with automatic expiry and revocation
• API key authentication with scoped permissions
• Rate limiting on all public endpoints
• CSP headers with nonce-based script allowlisting

GDPR Compliance

• Registered with the UK Information Commissioner's Office (ICO)
• Data Processing Agreement (DPA) available for enterprise customers
• Right to erasure: full account deletion with cascade
• Data portability: CSV export of all user data
• Cookie consent banner gates all analytics (PostHog) until explicit opt-in
• Sub-processors listed at /sub-processors
• Data retention policy: /retention

Application Security

• Sentry error monitoring with PII scrubbing
• Input sanitisation on all user-facing endpoints
• Webhook signature verification (Stripe HMAC)
• Idempotency key deduplication for payment webhooks
• Dead letter queue for failed webhook deliveries
• Automated dependency scanning via Dependabot and Snyk

Responsible Disclosure

If you discover a security vulnerability, please report it responsibly to security@crowagent.ai. We aim to acknowledge reports within 48 hours and resolve critical issues within 7 days.