Security, stated plainly.
What we do, where your data lives, and what we don't claim. We won't list a certification we haven't earned.
Where your data lives
Your Postgres database and application servers run on Railway, eu-west region. Static assets are served from Cloudflare's global edge. We do not move customer data outside these systems except to the sub-processors listed below.
Encryption
AES-256 at rest, managed by Railway. TLS 1.3 in transit for every connection between you, Crewspace, and the tools we connect to.
Identity & access
Sign-in is handled by Better Auth. Connecting Microsoft 365 uses Microsoft OAuth — your tenant admin grants scopes once. Session tokens rotate every 30 days.
Audit log
Every agent tool call writes a row to activity_log — with timestamp, actor, agent, tool, and target. The full log is available to instance admins, so you can always answer "who did what, as whom, and when".
Sub-processors
The third parties that process customer data on our behalf, with their role and region.
| Sub-processor | Role | Region |
|---|---|---|
| Anthropic | LLM inferencecustomer-controlled API key | US |
| OpenAI | LLM inference + embeddingscustomer-controlled API key | US |
| Microsoft | Graph API for M365 integration | EU / customer-tenant |
| Railway | Application hosting | EU |
| Cloudflare | CDN + DNS | Global |
| SendGrid | Transactional emailwhen shipped | EU |
| Stripe | Billing & payments | EU |
Certifications & compliance
SOC 2 Type II · in progress
We have not yet engaged an auditor. We expect to begin Type I in Q3 2026.
GDPR
We are GDPR-compliant as data controller for customer data we hold. Sub-processors are listed above. A DPA template is available on request.
Data Processing Agreement
Our DPA template is available to any customer or prospect on request.
Incident response
Email security@crewspace.ai. We aim to respond within 4 business hours.
Reporting a vulnerability
Found something? Email the same address — security@crewspace.ai. Good-faith security research and responsible disclosure are welcomed, and we won't pursue action against researchers acting in good faith.