Enterprise-grade security from day one.
CrowAgent is built on UK infrastructure with data protection, encryption, and access controls designed for regulated industry use. Every layer, from disk to API, is auditable.
Operational standards
The controls every CrowAgent organisation inherits by default, from encryption to data residency to regulatory registration.
AES-256 encryption at rest
Disk-level AES-256-GCM with automatic key rotation across databases, file storage, and backups.
TLS 1.3 in transit
Forward-secret HTTPS on every request with HSTS preload and modern cipher suites only.
GDPR-aligned data processing
Subject rights supported end to end. Full Data Processing Agreement available for customers on request.
UK and EU data residency
Primary customer data stays in the UK region. Supporting services operate in the EU under SCCs.
ISO 27001 controls*
We follow ISO 27001 controls. Formal certification planned for Phase 2.
ICO Registered Data Controller
CrowAgent Ltd is registered with the Information Commissioner's Office and verifiable on the ICO public register.
Security documentation
The detail behind each control, written for security and procurement teams. Jump to any topic, or contact us for an audit pack.
AES-256 encryption
All customer data is encrypted at rest using AES-256, and in transit using TLS 1.3. Encryption keys are managed at the infrastructure level and rotated automatically. Database snapshots, file storage, and backups inherit the same protection.
At rest
AES-256-GCM
In transit
TLS 1.3, HSTS
Key rotation
Automatic
Backups
Encrypted
UK & EU data residency
- Primary customer data is stored in Supabase’s UK region.
- Supporting services may process metadata in the EU (PostHog EU Cloud).
- Other processors operate under Standard Contractual Clauses (SCCs).
- No personal data is sent to AI providers for training. See our Privacy Policy for the full sub-processor list.
Metadata sub-processors
GDPR compliance
- CrowAgent Ltd is registered as a data controller with the Information Commissioner’s Office (ICO) under the Data Protection (Charges and Information) Regulations 2018.
- A full Data Processing Agreement (DPA) is available on request for customers.
- Data subject rights supported: right to erasure, data portability, restriction of processing, and access.
- Data Protection Impact Assessments (DPIAs) are reviewed for new product capabilities that process personal data.
ICO contact & registration
Verifiable on the ICO public register by searching for “CrowAgent Ltd”.
Data requests: [email protected]
Access controls
Platform access is enforced in depth: organisation-scoped roles at the application layer, Row-Level Security at the database, and multi-factor authentication at the identity layer.
RBAC
- Org-scoped roles: Owner, Admin, Member.
- Privileged actions audit-logged.
- Invite-only org joins.
RLS
- Row-Level Security enforced in Postgres.
- Org isolation at query time.
- No cross-tenant data paths.
MFA
- TOTP available for every account.
- Required for Owner/Admin actions.
- Session revocation on demand.
ISO 27001 controls
Certification in progress
Our security controls programme is aligned with ISO 27001 principles. We plan to pursue formal certification as the business scales. Internal security reviews run continuously, and OWASP best practices are applied to all application development.
AI data handling
AI inference (narrative generation, compliance analysis) uses Google Gemini via server-side API calls only. The boundaries below describe exactly what crosses the model provider.
What is sent
- Prompt context for the active task.
- Public reference text where required.
- Server-side API calls only.
What is NOT sent
- Customer data for training.
- Bulk exports or full org datasets.
- Authentication tokens or PII.
Inference & retention
- CrowAgent-brokered infrastructure.
- Provider zero-retention terms.
- Inputs not retained by the model.
Model Usage & Data Isolation
Inference traffic is brokered through CrowAgent-controlled service identities. Prompts include the minimum context required to satisfy the active task. Model responses are post-processed before storage to strip provider metadata.
Vulnerability disclosure
Report security vulnerabilities responsibly to [email protected] with the subject “Security Disclosure”. We acknowledge receipt within two business days and triage as below.
| Severity | Examples | Triage SLA | Patch SLA |
|---|---|---|---|
| Critical | RCE, auth bypass | 1 business day | 5 days |
| High | Privilege escalation | 2 business days | 14 days |
| Medium | CSRF, XSS | 3 business days | 30 days |
| Low | Hardening findings | 5 business days | Best-effort |
Uptime commitment
99.5%
Uptime Target
CrowAgent targets 99.5% monthly uptime. Independent monitoring planned for Q3 2026.
View status pageDeep dives
Sub-processors list
Sub-processors handle metadata only. None receive customer-controlled personal data for training.
- PostHog (EU Cloud), product analytics, event metadata.
- Brevo (EU), transactional email delivery.
- Cloudflare (global, SCC), CDN, DDoS protection.
- Calendly (SCC), meeting scheduling links.
- Stripe (SCC), billing and payment processing.
Severity levels in detail
Our severity model follows CVSS 3.1 base scoring, adjusted for environmental impact across multi-tenant data isolation.
- Critical: active exploitation paths affecting confidentiality or integrity of customer data.
- High: escalation paths within an authenticated session.
- Medium: targeted attacks requiring user interaction or constrained scope.
- Low: defensive hardening, configuration drift, or informational findings.
Company & regulatory details
Data request contact
For erasure, portability, restriction, or access requests, email [email protected]. We respond within statutory timeframes.