Trust Center

Security & Compliance

CRM Factory is built on enterprise-grade infrastructure with security at every layer. Your data is isolated, encrypted, and protected by the same standards trusted by Fortune 500 companies.

AES-256 EncryptionTLS 1.3SOC 2 Certified InfrastructureSchema-per-Tenant IsolationRBACAudit Logging

Encryption Everywhere

  • TLS 1.3 for all data in transit
  • AES-256 encryption at rest
  • Encrypted credential storage for integrations
  • Secure session tokens with automatic rotation

Tenant Data Isolation

  • Schema-per-tenant architecture — each org's data lives in its own isolated database schema
  • No cross-tenant data leakage by design
  • Row-level and schema-level access controls
  • Independent data lifecycle per tenant

Authentication & Access

  • Passwordless sign-in via passkeys (WebAuthn / FIDO2)
  • SSO with Microsoft Entra ID, Google Workspace
  • SAML 2.0 and SCIM provisioning (Enterprise)
  • Role-based access control (RBAC) with four levels
  • Multi-factor authentication (TOTP) for admin panel

Audit & Accountability

  • Immutable audit log for all data changes
  • User action trails with IP address and timestamp
  • Admin impersonation logging with time-limited sessions
  • API access logging and key rotation

Infrastructure

  • Hosted on Vercel (SOC 2 Type II certified)
  • Database on Neon Serverless Postgres (SOC 2 Type II certified)
  • AWS us-east-1 region with multi-AZ redundancy
  • Automatic backups with point-in-time recovery
  • DDoS protection and edge CDN via Vercel

Privacy & Data Handling

  • Personal email domains blocked at registration
  • Business email validation at sign-in
  • No training on customer data
  • GDPR-ready data subject request handling
  • Data deletion on account closure

Security Practices

How we build, deploy, and operate

Dependency Scanning

Automated vulnerability scanning on every deployment. Critical CVEs addressed within 24 hours.

Secrets Management

All credentials, API keys, and tokens stored in encrypted environment vaults — never in source code.

Secure Development

Input validation, parameterized queries (Drizzle ORM), CSRF protection, and Content Security Policy headers.

Access Reviews

Least-privilege access for all internal systems. Production database access restricted and audited.

Vendor Due Diligence

All subprocessors evaluated for security posture. Infrastructure providers maintain SOC 2 Type II attestations.

Incident Response

Documented incident response plan with defined escalation paths. Customer notification within 72 hours of confirmed breach.

Questions about our security posture?

We’re happy to walk through our architecture, answer questionnaires, or discuss compliance requirements for your organization.

Contact Security Teamsecurity@crmfactory.ai

Last updated: March 2026. Review our Privacy Policy and Terms of Service.