CRM-G CRM-G
Trust & Security

How we protect your data.

CRM-G stores customer relationship data and runs AI workflows on top of it. We take that responsibility seriously — which means being specific and honest about what we have today, what we run on, and what is on the roadmap.

Data protection

Customer data is encrypted in transit and at rest at all times.

  • TLS 1.2+ for all data in transit (HTTPS only; HTTP is rejected at the load balancer)
  • AES-256 at rest for application data via Cloud SQL transparent encryption
  • Google-managed encryption keys today; customer-managed keys (CMEK) available on request
  • Secrets stored in GCP Secret Manager — never in source repositories or environment files

Access control

Every CRM-G action is authenticated and authorized through a metadata-driven IAM model.

  • Granular access control per business component, with admin-defined roles
  • Per-tenant data access scopes (ALL / TEAM / OWN) enforced server-side
  • Tenant isolation enforced at the database layer via PostgreSQL Row-Level Security policies on tenant-owned tables
  • Authentication and admin actions written to an append-only audit log

Infrastructure

CRM-G runs on Google Cloud Platform in us-central1 (Iowa) with regional high availability.

  • Cloud Run application services with a warm minimum-instance pool
  • Cloud SQL PostgreSQL 16 in regional HA configuration (multi-zone failover)
  • Cloud Armor rate limits and abuse-prevention rules at the edge
  • Cloud Logging with sensitive-payload redaction and bounded retention
  • GCP itself is independently audited under SOC 2 Type II, ISO/IEC 27001/27017/27018, and is HIPAA-eligible — these certifications cover the underlying infrastructure that hosts CRM-G

Backups and resilience

Daily automated backups with point-in-time recovery; restore drills run on a regular cadence.

  • Cloud SQL automated daily backups
  • 14-day point-in-time recovery (PITR) window
  • Restore drills exercised in a non-production environment to validate backup integrity
  • Cloud Storage object lifecycle policies on tenant attachments and exports

Vulnerability management

Continuous scanning across application code, dependencies, and the cloud control plane.

  • Dependency scanning (Dependabot, Snyk) on every pull request
  • OWASP ZAP automated scans against staging on a regular cadence
  • GCP Security Command Center monitoring for misconfiguration and exposure
  • Per-tenant AI token quotas with overage blocking to prevent abuse-driven cost spikes
  • Formal external penetration test scheduled as part of the SOC 2 Type 1 audit cycle

Compliance roadmap

We are transparent about where we are. CRM-G is not yet SOC 2 audited; the audit cycle is funded and scheduled.

  • SOC 2 Type 1 audit (Security Trust Services Criteria) scheduled for Q2 2027, conducted by a licensed CPA firm under AICPA SSAE 18
  • Internal controls today are mapped to the SOC 2 Trust Services Criteria — policies, access reviews, change management, incident response, vendor management, backup and restore, asset inventory, data retention, and acceptable-use
  • GDPR: standard contractual clauses and Data Processing Addenda (DPAs) available on request
  • HIPAA: Business Associate Agreements (BAAs) available on request for tenants with PHI in scope
  • We do not currently claim ISO/IEC 27001 certification or SOC 2 Type 2 — these are on the roadmap

Sub-processors

CRM-G uses a small set of third-party services to deliver the product. The current list:

  • Google Cloud Platform — primary hosting (Cloud Run, Cloud SQL, Cloud Storage, Cloud Logging, Secret Manager, Cloud Armor, Firestore)
  • Mailgun — transactional email delivery
  • Qdrant Cloud — vector search for AI knowledge retrieval
  • Anthropic / Google Vertex AI — large language model inference for the AI assistant
  • Stripe — billing and payment processing
  • We notify organization administrators in advance of material sub-processor changes

Reporting a vulnerability

If you believe you have found a security issue affecting CRM-G, please email us before disclosing it publicly. We acknowledge reports within two business days and treat reporters in good faith.

security@crmg.ai

This page reflects CRM-G's current security posture. We update it when controls, sub-processors, or compliance status change. SOC 2 reports, when available, will be made accessible to customers under NDA.