Crawlmind

Home/Docs/Security, hosting & privacy

Account & billing

Security, hosting & privacy

Updated 2026-05-18

Crawlmind runs on DigitalOcean (NYC region). Customer data — crawled HTML, generated reports, integration refresh tokens — is stored in PostgreSQL (RDS-equivalent managed by DO) + DO Spaces (S3-compatible). All traffic is TLS 1.3; integration secrets are AES-256-GCM-encrypted at rest. Full detail at /legal/security.

Data hosted on Crawlmind

  • User accounts — email, hashed password (bcrypt cost 12), MFA secret (encrypted), session refresh hashes
  • Organizations — name, slug, branding (logos hosted in DO Spaces)
  • Subscriptions — Stripe customer + subscription IDs (no card data; Stripe holds it)
  • Crawl artefacts — fetched HTML bodies, parsed JSON-LD, screenshots (Playwright only)
  • Issues + recommendations — generated audit findings
  • Integration tokens — GSC + GA4 refresh tokens (AES-256-GCM encrypted)
  • Audit logs — every admin + sensitive-mutation action, retained 1 year

Encryption posture

  • In transit: TLS 1.3 everywhere (Cloudflare → Caddy → app)
  • At rest: PostgreSQL volume encryption + per-secret application-layer encryption for tokens, integration creds, staging passwords
  • Database backups: encrypted snapshots, retained 7 days
  • Spaces objects: server-side encryption (SSE-S3 equivalent)

Access control

  • RBAC — OWNER / ADMIN / EDITOR / VIEWER per organization
  • MFA — TOTP, enforced per-org (Agency+) or optional individually
  • SSO — SAML 2.0 + OIDC on Enterprise
  • Audit logs — every privileged action records actor, IP, user-agent, target, metadata

GDPR rights

EU/UK/Swiss data subjects:

  • Right to access — download a full export of everything we hold about your account from /me/export. Async job, ZIP delivered to your email
  • Right to rectification — update profile, org settings, billing contact in-app
  • Right to erasure/me/delete-account schedules a 14-day grace deletion. Cancel within the window or wait for purge.
  • Right to portability — exports are JSON for app data + CSV for tabular reports

DPA available on request: [email protected]. See /legal/dpa for the standard text we incorporate into Terms for EU customers.

Sub-processors

Current sub-processors that handle customer data:

  • DigitalOcean — hosting + Spaces object storage
  • Stripe — payments
  • OpenAI / Anthropic — AI enrichment (your plan choice)
  • Postmark — transactional email
  • Sentry — error tracking (no customer data; just stack traces)
  • GitHub — source code only

We maintain a versioned list at /legal/subprocessors. We notify customers 30 days before adding any new sub-processor.

Reporting a security issue

Email [email protected]. We acknowledge within 24h. Bug bounty: out of scope for now (we're pre-Series-A); we'll publicly credit the reporter on /legal/security for any genuine finding.

Related docs

Ready to try it?

Free tier: 5 crawls / month, no credit card.

Start free Score any site →