Data protection
Customer data is encrypted in transit and at rest at all times.
- TLS 1.2+ for all data in transit (HTTPS only; HTTP is rejected at the load balancer)
- AES-256 at rest for application data via Cloud SQL transparent encryption
- Google-managed encryption keys today; customer-managed keys (CMEK) available on request
- Secrets stored in GCP Secret Manager — never in source repositories or environment files
Access control
Every CRM-G action is authenticated and authorized through a metadata-driven IAM model.
- Granular access control per business component, with admin-defined roles
- Per-tenant data access scopes (ALL / TEAM / OWN) enforced server-side
- Tenant isolation enforced at the database layer via PostgreSQL Row-Level Security policies on tenant-owned tables
- Authentication and admin actions written to an append-only audit log
Infrastructure
CRM-G runs on Google Cloud Platform in us-central1 (Iowa) with regional high availability.
- Cloud Run application services with a warm minimum-instance pool
- Cloud SQL PostgreSQL 16 in regional HA configuration (multi-zone failover)
- Cloud Armor rate limits and abuse-prevention rules at the edge
- Cloud Logging with sensitive-payload redaction and bounded retention
- GCP itself is independently audited under SOC 2 Type II, ISO/IEC 27001/27017/27018, and is HIPAA-eligible — these certifications cover the underlying infrastructure that hosts CRM-G
Backups and resilience
Daily automated backups with point-in-time recovery; restore drills run on a regular cadence.
- Cloud SQL automated daily backups
- 14-day point-in-time recovery (PITR) window
- Restore drills exercised in a non-production environment to validate backup integrity
- Cloud Storage object lifecycle policies on tenant attachments and exports
Vulnerability management
Continuous scanning across application code, dependencies, and the cloud control plane.
- Dependency scanning (Dependabot, Snyk) on every pull request
- OWASP ZAP automated scans against staging on a regular cadence
- GCP Security Command Center monitoring for misconfiguration and exposure
- Per-tenant AI token quotas with overage blocking to prevent abuse-driven cost spikes
- Formal external penetration test scheduled as part of the SOC 2 Type 1 audit cycle
Compliance roadmap
We are transparent about where we are. CRM-G is not yet SOC 2 audited; the audit cycle is funded and scheduled.
- SOC 2 Type 1 audit (Security Trust Services Criteria) scheduled for Q2 2027, conducted by a licensed CPA firm under AICPA SSAE 18
- Internal controls today are mapped to the SOC 2 Trust Services Criteria — policies, access reviews, change management, incident response, vendor management, backup and restore, asset inventory, data retention, and acceptable-use
- GDPR: standard contractual clauses and Data Processing Addenda (DPAs) available on request
- HIPAA: Business Associate Agreements (BAAs) available on request for tenants with PHI in scope
- We do not currently claim ISO/IEC 27001 certification or SOC 2 Type 2 — these are on the roadmap
Sub-processors
CRM-G uses a small set of third-party services to deliver the product. The current list:
- Google Cloud Platform — primary hosting (Cloud Run, Cloud SQL, Cloud Storage, Cloud Logging, Secret Manager, Cloud Armor, Firestore)
- Mailgun — transactional email delivery
- Qdrant Cloud — vector search for AI knowledge retrieval
- Anthropic / Google Vertex AI — large language model inference for the AI assistant
- Stripe — billing and payment processing
- We notify organization administrators in advance of material sub-processor changes
Reporting a vulnerability
If you believe you have found a security issue affecting CRM-G, please email us before disclosing it
publicly. We acknowledge reports within two business days and treat reporters in good faith.
security@crmg.ai
This page reflects CRM-G's current security posture. We update it when controls,
sub-processors, or compliance status change. SOC 2 reports, when available, will be made accessible to
customers under NDA.