Security

How we protect your data — last updated May 23, 2026

1. Encryption

  • At rest: AES-256 — Cloud SQL (PostgreSQL 16), Elasticsearch indices, and GCS buckets all use Google-managed envelope encryption by default. Backups inherit the same encryption.
  • In transit: TLS 1.3 only at the public load balancer (HSTS is enforced; preload submission is on our roadmap). Internal traffic between services rides on Google's private VPC network.
  • Secrets: API tokens (Google Search Console, GA, Bing, Stripe, OpenAI, Anthropic) are stored encrypted at the application layer and never written to logs.

2. Hosting region

All production infrastructure runs in europe-west1 (Belgium) on Google Cloud Platform. Crawl workers, the application backend, the PostgreSQL primary, and customer artifacts (PDF reports, data exports) all sit in this region. We do not replicate data outside the EU.

3. Backups & recovery

  • Cloud SQL automated daily backups, retained 7 days. Point-in-time recovery enabled with a 7-day window.
  • Off-site weekly snapshots retained 30 days for disaster-recovery.
  • Recovery objectives: RPO ≤ 24 h, RTO ≤ 4 h. We test restore drills quarterly.
  • Customer data exports (CRA-345) are stored in a dedicated GCS bucket with a 30-day TTL.

4. Account & access security

  • Optional TOTP-based two-factor authentication with backup codes.
  • Optional phone verification (SMS code, 6 digits, 60-second resend cooldown).
  • Role-based access control (owner / admin / member / viewer) at the workspace level. See the in-app Roles & permissions matrix on the Members page.
  • All authentication mutations (login, 2FA enable/disable, password change, OAuth connect/disconnect) write an entry to the audit log.
  • Production access is restricted to the founder via short-lived IAM tokens and IAP tunnels; no shared admin credentials.

5. Sub-processors

We rely on the following third parties to operate the platform. Each is bound by GDPR-compatible data-processing terms.

Sub-processor Purpose Region
Google Cloud PlatformHosting, storage, networkingeurope-west1
StripeSubscription billing & paymentsEU / global
SentryError monitoring (sanitized payloads, no PII)Frankfurt (de)
AnthropicAI insights generation (GEO + cluster narratives)US
OpenAIOptional fallback for AI insightsUS
CloudflareCDN / DDoS protection (no request bodies cached)Global
ResendTransactional emailEU

We notify customers in-app at least 30 days before adding a new sub-processor that handles customer data.

6. GDPR & data subject rights

  • Controller of record: Enric Ramos (autónomo), Spain — see Privacy Policy for the full disclosure.
  • Right to access & portability: request your data export from Profile → Data & privacy. The build is delivered as a downloadable ZIP within 24 hours.
  • Right to erasure: request deletion from Profile → Data & privacy. The account is anonymised immediately, then hard-deleted after a 30-day grace window.
  • Data Processing Addendum: available on request — email legal@crawlsense.ai.

7. SOC 2 roadmap

CrawlSense is not currently SOC 2 certified. We are building the platform with SOC 2 Type II controls in mind (audit logs, RBAC, encryption, change management) so that the path to certification is a procedural one rather than a re-architecture. If your procurement requires a vendor questionnaire today, write to security@crawlsense.ai.

8. Vulnerability reporting

If you believe you've found a security vulnerability in CrawlSense, please report it privately to security@crawlsense.ai. We commit to acknowledging within 3 business days and to keeping you informed throughout triage. We don't currently run a paid bug bounty, but we credit reporters on the Changelog when a fix ships.

9. Status & incidents

Real-time availability and incident history live at status.crawlsense.ai. We post post-mortems for any incident that breached our 99.9 % monthly availability target.