Security

How we protect your business data

AES-256 Encryption

All data encrypted at rest. Same encryption used by banks and government agencies.

SOC 2 Hosting

Hosted on Vercel and Neon—both SOC 2 Type II certified infrastructure providers.

Daily Backups

Automated daily backups with 30-day retention. Your data is safe even if something goes wrong.

Secure Authentication

Bcrypt password hashing, session tokens, rate limiting, and optional two-factor authentication.

Infrastructure & Hosting

Application Hosting

Crewdex runs on Vercel's edge network with global CDN, DDoS protection, and automatic SSL/TLS certificates. Vercel is SOC 2 Type II certified.

Database

We use Neon PostgreSQL with:

  • AES-256 encryption at rest
  • TLS 1.3 encryption in transit
  • Isolated tenancy (your data stays separate)
  • SOC 2 Type II compliance

File Storage

Photos and documents are stored on Cloudflare R2 with encryption at rest and private buckets (files aren't publicly accessible).

Network Security

All connections use TLS 1.3 encryption. Older, insecure protocols (SSL, TLS 1.0/1.1) are disabled.

Data Protection

Encryption

At rest: AES-256 encryption for database and file storage
In transit: TLS 1.3 for all network connections

Backups

Frequency: Daily automated backups
Retention: 30 days (can restore to any point)
Storage: Encrypted backups stored in separate region

Multi-Tenant Isolation

Every query includes tenant filtering. Your customers can't see each other's data, and you can't see other contractors' data. It's baked into the database schema.

Data Deletion

When you cancel, we keep your data for 30 days (in case you change your mind). After that, it's permanently deleted from all systems including backups.

Authentication & Access Control

Password Security

Passwords are hashed with bcrypt (12 rounds). We never store or log plain-text passwords. Even our team can't see your password.

Session Management

Sessions use secure, httpOnly cookies with automatic expiration. Sessions are invalidated on logout and after 30 days of inactivity.

Two-Factor Authentication

Optional 2FA using authenticator apps (Google Authenticator, Authy, etc.). Highly recommended for owner accounts.

Rate Limiting

Login attempts are rate-limited to prevent brute-force attacks. Too many failed attempts will temporarily lock the account.

Payment Security

We use Stripe for all payment processing. Stripe is PCI DSS Level 1 certified (the highest level).

We never see your full credit card number. Card details go directly to Stripe's secure servers. We only store a token that lets us charge your card.

Customer payments (for invoices) also go through Stripe. Your customers' payment info is handled with the same security standards.

Monitoring & Incident Response

Error Tracking

We use Sentry to track application errors. This helps us catch and fix bugs quickly. Error logs don't include sensitive data like passwords or credit cards.

Uptime Monitoring

We monitor Crewdex 24/7. If something goes down, we get alerted immediately. Most outages are resolved within minutes.

Security Incidents

If we detect a security breach, we'll notify affected users within 72 hours and explain what happened and what we're doing about it.

Compliance

GDPR (EU Users)

We comply with GDPR requirements: data access, portability, and deletion rights. Your data is stored in US-based data centers (Vercel/Neon).

CCPA (California Users)

California residents can request their data, ask us not to sell it (we don't anyway), or delete it. Email [email protected]

Found a Security Issue?

If you discover a security vulnerability, please report it responsibly:

  • Email [email protected] with details
  • Don't publicly disclose until we've had time to fix it
  • Give us a reasonable timeline (usually 90 days is standard)

We take security seriously and will work with you to address any issues. We don't have a bug bounty program (we're too small), but we'll acknowledge your contribution publicly if you want.

Questions?

Have questions about our security practices? Email us at [email protected]

We're happy to explain our security setup in more detail if you're evaluating Crewdex for your business.