Skip to main content

Security Overview

Crew is built with a security-first architecture designed to protect your data and your customers’ information. This page provides an overview of our security practices, certifications, and architecture.

Security Principles

Our approach to security is guided by:
  1. Defense in Depth — Multiple layers of security controls
  2. Least Privilege — Minimal access required for any operation
  3. Encryption Everywhere — Data protected in transit and at rest
  4. Continuous Monitoring — Real-time threat detection and response
  5. Transparency — Clear documentation of security practices

Infrastructure

Cloud Architecture

Crew runs on enterprise-grade cloud infrastructure:
ComponentProviderRegion Options
ApplicationVercelUS, EU
DatabaseSupabase (PostgreSQL)US, EU
TelephonyTwilioGlobal
AI ProcessingOpenAIUS

Network Security

  • TLS 1.2+ for all connections
  • Web Application Firewall (WAF) protection
  • DDoS mitigation at network edge
  • Private networking between services
  • Regular penetration testing

Access Control

  • Role-based access control (RBAC) for all resources
  • Multi-factor authentication (MFA) support
  • Single Sign-On (SSO) for Enterprise plans
  • API key scoping with minimal permissions
  • Audit logging for all access events

Data Encryption

In Transit

All data is encrypted during transmission:
  • TLS 1.2 or higher for HTTPS connections
  • Certificate pinning for mobile applications
  • Perfect Forward Secrecy (PFS) enabled
  • HSTS enforced on all endpoints

At Rest

Stored data is encrypted:
  • AES-256 encryption for database fields
  • Encrypted backups with separate key management
  • Encrypted file storage for recordings and documents
  • Hardware Security Modules (HSM) for key management

Key Management

  • Keys stored in dedicated key management service
  • Automatic key rotation
  • Separation of keys by tenant
  • Access logging for all key operations

Authentication & Authorization

User Authentication

  • Password hashing with bcrypt
  • Configurable password policies
  • Session management with secure tokens
  • Brute force protection with rate limiting
  • Optional MFA via authenticator apps

API Authentication

  • API keys for server-to-server
  • JWT tokens for user-scoped access
  • OAuth 2.0 for third-party integrations
  • IP allowlisting available
  • Automatic token expiration

Authorization

User → Workspace Role → Resource Permissions → Action
All access decisions are logged and auditable.

Application Security

Secure Development

  • Security-focused code review process
  • Automated vulnerability scanning (SAST/DAST)
  • Dependency vulnerability monitoring
  • Regular security training for developers
  • Bug bounty program (coming soon)

Input Validation

  • Server-side validation for all inputs
  • Parameterized queries (SQL injection prevention)
  • Content Security Policy (CSP) headers
  • Cross-Site Scripting (XSS) protection
  • Cross-Site Request Forgery (CSRF) tokens

Third-Party Security

  • Vendor security assessments
  • Minimal third-party dependencies
  • Regular dependency updates
  • Supply chain security monitoring

Operational Security

Monitoring

  • 24/7 infrastructure monitoring
  • Real-time security alerting
  • Log aggregation and analysis
  • Anomaly detection

Incident Response

Documented incident response procedures:
  1. Detection — Automated and manual monitoring
  2. Triage — Severity assessment and escalation
  3. Containment — Isolate affected systems
  4. Eradication — Remove threat
  5. Recovery — Restore services
  6. Post-Mortem — Analysis and improvement

Business Continuity

  • Geographic redundancy across availability zones
  • Automated failover for critical services
  • Regular backup testing
  • Disaster recovery procedures
  • 99.9% uptime SLA (Enterprise)

Compliance Framework

Current Status

FrameworkStatus
SOC 2 Type IIIn Progress
GDPRCompliant
CCPACompliant
PCI DSSNot applicable (no card storage)
HIPAASee Healthcare Readiness

Data Processing

  • Data Processing Agreement (DPA) available
  • Standard Contractual Clauses for EU transfers
  • Privacy policy publicly available
  • Cookie consent management

Security Reporting

Vulnerability Disclosure

If you discover a security vulnerability:
  1. Email security@usecrew.ai
  2. Include detailed reproduction steps
  3. Allow 90 days for remediation before disclosure
  4. We do not pursue legal action for good-faith reports

Security Updates

  • Security advisories published at /security/advisories
  • Critical updates communicated via email
  • Status page at status.usecrew.ai

Customer Responsibilities

Security is a shared responsibility. Customers are responsible for:
  • Securing API keys and credentials
  • Managing user access within their workspace
  • Configuring appropriate permissions
  • Reviewing audit logs
  • Reporting suspected security issues
See Customer Responsibilities for details.

Questions

For security questions or to request additional documentation:

Next Steps