Security Overview

CRMown is built with security as a core design principle, not an afterthought. This document outlines the technical and organizational measures we employ to protect your data across our SaaS platform, mobile applications, and self-hosted deployments.

1. Infrastructure

Hosting

• SaaS platform hosted on DigitalOcean cloud infrastructure (U.S. data centers)
• Application runs in Docker containers with isolated services (API, web, worker, database, cache)
• Nginx reverse proxy with TLS termination and rate limiting
• API rate limiting: 30 requests/second general, 5 requests/second for authentication endpoints

Database

• PostgreSQL relational database with strict schema enforcement
• Multi-tenant architecture with org-level isolation — every query is scoped to the authenticated organization
• Daily encrypted backups with automated retention
• Redis for caching and job queue management (BullMQ)

2. Encryption

• In Transit: All connections encrypted with TLS 1.2/1.3. HSTS enforced with max-age 63,072,000 seconds (2 years). SSL certificates via Let's Encrypt with automatic renewal.
• At Rest: Database volumes encrypted at the infrastructure level (DigitalOcean managed encryption). Backups encrypted before storage.
• Passwords: All user and portal passwords hashed with bcrypt (cost factor 12). Passwords are never stored in plaintext or reversible encryption.
• API Keys: Customer API keys generated with cryptographically secure random bytes. Displayed once at creation, stored as prefixed identifiers for lookup.

3. Authentication & Access Control

User Authentication

• JWT (JSON Web Tokens) for session management with configurable expiry
• Separate authentication systems for internal CRM users and Client Portal users
• Portal JWTs include a type: 'portal' claim to prevent cross-system token abuse
• Magic link authentication available for Client Portal users
• Password reset with time-limited, single-use tokens

Role-Based Access Control (RBAC)

• 10 built-in roles: Owner, Admin, Board, Executive, Director, Team, Support, Partner, Viewer, Client
• Field-level permissions: Control visibility of individual fields per role
• Custom roles: Organizations can define custom permission sets
• Module-level gating: Suite activation controls which features each organization can access

API Security

• Dual authentication: JWT tokens for interactive sessions, API keys (ck_live_ prefix) for programmatic access
• HMAC-SHA256 webhook signatures for outbound webhook verification
• Webhook delivery logging with automatic retry and exponential backoff
• Auto-disable webhooks after consecutive delivery failures

4. AI Safety & Governance

• AI Audit Log: Every AI-initiated action is logged with full context (action type, input, output, risk level, approval status)
• Approval Queue: Medium and high-risk autonomous AI actions require human approval before execution
• User-initiated vs. Autonomous: Actions triggered directly by users are treated as low-risk (auto-approved); autonomous AI suggestions are flagged for review
• No AI Training: Your data is never used to train generalized AI models. AI processing is limited to the specific service invocation.
• Bring Your Own Key (BYOK): Self-hosted customers connect their own AI API keys. No data passes through CRMown infrastructure.
• AI Provider: SaaS platform uses Anthropic Claude API with enterprise-grade data handling commitments

5. Consent & Privacy Compliance

• Per-contact consent tracking for email, SMS, WhatsApp, phone, and postal communications
• Consent enforcement middleware: Messaging system checks consent status before sending any communication
• ConsentLog audit trail: Every consent change is logged with source, timestamp, actor, IP address, and user agent
• GDPR mode and CCPA mode: Organization-level toggles that enforce stricter consent requirements
• Double opt-in: Optional requirement for new contact creation
• Public preference center: Token-based contact-facing page for managing communication preferences and requesting data deletion
• Do Not Contact: Master toggle that blocks all outbound communication to a contact
• Data retention controls: Configurable retention periods at both organization and contact level

6. Communication Security (BYOC)

• Bring Your Own Carrier (BYOC): Customers connect their own Twilio, Plivo, Telnyx, or custom SIP provider
• CRMown facilitates the connection but does not intercept, store, or process raw call audio
• SMS and voice communications flow directly between the customer's carrier and their contacts
• WhatsApp Business integration uses the customer's own verified business account
• Carrier API credentials are stored encrypted and never exposed through the UI after initial setup

7. Application Security

• Input validation: All API endpoints use Zod schema validation with type coercion and sanitization
• SQL injection prevention: All database queries use Prisma ORM with parameterized queries — no raw SQL interpolation
• XSS protection: Content-Security-Policy, X-Content-Type-Options (nosniff), and X-Frame-Options (SAMEORIGIN) headers on all responses
• CORS: Restricted to known origins; portal routes use explicit CORS headers
• Rate limiting: Per-IP rate limiting on API (30/s) and authentication (5/s) endpoints
• Dependency management: Regular dependency updates with pnpm lockfile verification

8. Monitoring & Incident Response

• Activity logging: All user and system actions are logged with actor, action, entity, and timestamp
• Real-time alerts: Socket.io-based real-time event system for immediate notification of security-relevant events
• Webhook delivery monitoring: Failed deliveries are tracked with automatic retry and admin notification
• Health checks: Automated container health monitoring with automatic restart on failure

9. Client Portal Security

• Completely separate authentication system from internal CRM users
• Portal JWT tokens include type: 'portal' — internal tokens cannot access portal routes and vice versa
• All portal data queries are scoped to the authenticated contact's ID — no cross-contact visibility
• Portal users are not counted as seats and cannot access any CRM dashboard functionality
• Silent failure on login/reset attempts for non-existent emails (prevents email enumeration)
• Magic link tokens are single-use and time-limited (24 hours)
• Password reset tokens expire after 2 hours

10. Vulnerability Disclosure

If you discover a security vulnerability in CRMown, please report it responsibly by emailing security@crmown.com. We commit to acknowledging reports within 48 hours and providing a resolution timeline within 5 business days. We will not take legal action against researchers who report vulnerabilities in good faith.

11. Contact

For security-related questions or concerns, contact us at security@crmown.com. For privacy-related inquiries, contact legal@crmown.com.