Security Policy · Effective April 13, 2026

How Crawlux protects your data.

Q: Do you have a vulnerability disclosure program?

Yes. Security researchers can disclose vulnerabilities at security@crawlux.com. We follow responsible disclosure principles with a 90-day coordinated disclosure window. Critical vulnerabilities receive a 24-hour response window. We do not currently offer bug bounties but do publicly credit disclosed researchers in our hall of recognition.

Defense-in-depth security architecture covering encryption, access control, incident response and vulnerability disclosure. Built on AWS with EU-region primary hosting for GDPR alignment.

Read security detailsGDPR · Encrypted at rest · No raw site data stored

EffectiveApril 13, 2026

EncryptionAES-256 · TLS 1.3

Primary regionAWS EU

Disclosure90-day coordinated

Section 01

// Defense in depth

Five layers of security

Crawlux applies layered defense across infrastructure, network, application, data and operational controls. An attacker would need to compromise multiple independent layers to access user data, with each layer raising the cost of attack.

01Infrastructure

AWS-hosted with EU primary region

Production runs on AWS eu-west-1 with backup replicas in eu-central-1. Hardware security, physical access control and supply chain integrity inherited from AWS SOC 2 Type II controls.

02Network

VPC isolation with WAF and DDoS protection

Production VPCs isolated from public internet except through ALB endpoints. CloudFlare WAF filters known attack patterns. AWS Shield Standard mitigates DDoS at the network edge.

03Application

Authentication, rate limiting and CSRF protection

All authenticated routes require valid session tokens. Rate limits applied per IP and per account. CSRF tokens for state-changing operations. Input validation at every API boundary.

04Data

AES-256 encryption at rest, TLS 1.3 in transit

Database, object storage and backup storage all encrypted with AES-256 using AWS KMS-managed keys. API traffic protected with TLS 1.3 minimum. API keys and webhook secrets use envelope encryption.

05Operational

Access logs, audit trails and MFA-required admin

Production database access requires MFA. All access logged with user, action and timestamp. Monthly access audits identify and remove unused permissions. Customer data access requires logged justification.

Section 02

// What is encrypted

Encryption coverage

Encryption applies to every data category Crawlux handles. The table below maps each data type to the encryption mechanism and key management approach.

Data type	In transit	At rest	Key management
Audit JSON output	TLS 1.3	AES-256	AWS KMS
PDF reports	TLS 1.3	AES-256	AWS KMS · S3 SSE-KMS
User account data	TLS 1.3	AES-256	AWS RDS encryption
API keys (when launched)	TLS 1.3	AES-256 · envelope	Customer-isolated keys
Webhook signing secrets	TLS 1.3	AES-256 · envelope	Customer-isolated keys
Payment data	TLS 1.3 to Stripe	Stripe-side only	Stripe PCI infrastructure
Database backups	TLS 1.3	AES-256	Cross-region replicated
Server logs	TLS 1.3	AES-256	CloudWatch encryption

Customer-isolated key encryption

API keys and webhook signing secrets use envelope encryption where each customer's secrets are encrypted with a per-customer KMS key. A breach of one customer's storage layer does not expose other customers' secrets.

Section 03

// Access control

Who has access to your data

Access to production systems and customer data is restricted to engineering team members with documented business need. The principle of least privilege applies across every system. All access is logged.

MFA required for admin access

Production database, infrastructure console and admin dashboard access all require multi-factor authentication. Hardware security keys preferred. SMS-based MFA not permitted.

Least privilege by default

New team members start with zero production access. Privileges granted per documented need with manager approval. Time-limited access for specific tasks where possible.

All access logged

Every database query, S3 object read and admin action is logged with user, timestamp and operation. Logs retained for 1 year minimum. Anomalous patterns flag for review.

Monthly access audits

Engineering reviews production access permissions monthly. Unused permissions removed. Roles outside current responsibility revoked. Audit reports archived for compliance review.

Customer data access logged

Support requests requiring customer data access require documented justification. Each access logged with requester, recipient, justification and timestamp. Customers can request their access log.

Offboarding within 24 hours

When team members leave, all production access revoked within 24 hours. Account credentials rotated. Active sessions invalidated. Access keys removed from rotation pools.

Section 04

// Incident response

5-phase incident response

When a security incident is detected, the response follows a defined 5-phase process with clear timing targets at each phase. The status page logs all confirmed incidents publicly with timestamps.

Phase 01

Detection (target: 15 min)

Automated monitoring alerts on anomalous patterns: unusual login locations, failed authentication spikes, unexpected data egress, error rate spikes. On-call engineer paged within target window.

Phase 02

Containment (target: 1 hour)

Isolate affected systems to prevent lateral movement. Revoke compromised credentials. Block attacker IPs at WAF level. Preserve forensic evidence in read-only state. Do no harm to ongoing investigation.

Phase 03

Assessment (target: 4 hours)

Determine scope: which systems, which data, which users. Categorize severity. Assess regulatory notification obligations. Document timeline. Identify root cause hypothesis for remediation planning.

Phase 04

Remediation (typical: 24 hours)

Patch the vulnerability. Rotate exposed credentials. Restore systems from clean backups if needed. Verify remediation effectiveness through targeted testing. Update detection rules to catch future similar attacks.

Phase 05

Communication (target: 72 hours)

Notify affected users via email within 72 hours of confirmation. Update status page with incident details. File regulatory notifications where required (GDPR, UAE PDPL). Publish post-incident review for learning.

Phase 06

Post-incident review

Within 2 weeks of resolution, the engineering team conducts a blameless postmortem. Findings documented in the changelog. Process improvements tracked through completion. Major incidents reviewed at quarterly all-hands.

Section 05

// Vulnerability disclosure

Responsible disclosure program

Security researchers who find vulnerabilities can disclose them through our responsible disclosure program. We follow coordinated disclosure principles with response time targets that scale with severity.

Severity	Initial response	Remediation target
Critical (RCE, auth bypass, data exposure)	24 hours	7 days from confirmation
High (privilege escalation, sensitive disclosure)	3 business days	30 days from confirmation
Medium (information disclosure, lower-impact issues)	5 business days	60 days from confirmation
Low (minor issues, defense-in-depth)	10 business days	90 days from confirmation

Yes

Public credit and recognition

Disclosed researchers are publicly credited in our security hall of recognition (with permission). Significant findings get a personalized thank you and detailed acknowledgment in the changelog.

No bug bounty currently

Crawlux does not currently offer monetary bug bounties. A formal bug bounty program is on the roadmap for Q3 2027 once the API and SDK platforms have stabilized.

Safe harbor for researchers

Researchers acting in good faith within scope of this program are not subject to legal action under the terms of service. Out of scope: social engineering of staff, physical attacks, denial-of-service testing, attacks against customer accounts.

Section 06

// Compliance posture

Certifications and roadmap

Crawlux runs on AWS infrastructure with extensive certifications inherited from the platform. Independent Crawlux certifications are on the roadmap with target dates published openly.

Now

AWS inherited certifications

Infrastructure runs on AWS holding SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018 and PCI DSS Level 1. Attestation reports available to enterprise customers on request.

Q4 2026

Crawlux SOC 2 Type II

Independent SOC 2 Type II audit covering Crawlux as an entity (above the inherited AWS attestation). Target completion Q4 2026. Audit firm engagement in progress.

Q2 2027

Crawlux ISO 27001

ISO 27001 certification target Q2 2027. Builds on the SOC 2 work and extends to formal information security management system documentation aligned to ISO standards.

// Security FAQ

Common questions

Six questions covering encryption, incident response, vulnerability disclosure, internal access, geographic data location and certifications.

Is my audit data encrypted?

Yes. All data is encrypted in transit using TLS 1.3 and at rest using AES-256. Database storage, backup storage and object storage all use AES-256 encryption with keys managed by the cloud provider's KMS. API keys and webhook signing secrets are encrypted with envelope encryption using customer-isolated keys.

How do you handle security incidents?

Security incidents follow a 5-phase response process: Detection within 15 minutes via automated monitoring, Containment within 1 hour to limit blast radius, Assessment within 4 hours to determine scope and impact, Remediation typically within 24 hours and Communication to affected users within 72 hours of confirmation. The status page logs all confirmed incidents with timestamps.

Do you have a vulnerability disclosure program?

Yes. Security researchers can disclose vulnerabilities at [email protected]. We follow responsible disclosure principles with a 90-day coordinated disclosure window. Critical vulnerabilities receive a 24-hour response window. We do not currently offer bug bounties but do publicly credit disclosed researchers in our hall of recognition.

Who has access to my data internally?

Access is limited to engineering team members with documented business need. All access is logged with user, action and timestamp. Production database access requires multi-factor authentication and is audited monthly. Customer data is never accessed for non-essential reasons. Support requests requiring data access are logged with the requester, recipient and justification.

Where is my data stored geographically?

Primary infrastructure is hosted on AWS in EU regions (eu-west-1 and eu-central-1) for GDPR alignment. Backup replicas are in AWS US regions (us-east-1) for redundancy. Audit results may be processed in upstream provider regions during analysis (DataForSEO, AI engines) but processed data returns to our EU primary infrastructure within minutes.

What certifications do you hold?

Crawlux infrastructure runs on AWS which holds SOC 2 Type II, ISO 27001 and ISO 27017. Crawlux as a company is currently working toward independent SOC 2 Type II certification with target completion Q4 2026. The roadmap includes ISO 27001 certification target Q2 2027. Enterprise contracts can request the AWS attestation reports immediately.

Report a vulnerability

// Contact

Security contact

For vulnerability disclosure, security questions or incident reporting, the dedicated security email gets routed to the engineering security team directly.

Security disclosure

Email: [email protected]
PGP key: Available on request
Response window: Per severity table above
Coordinated disclosure: 90-day window from confirmation

For privacy-related security questions, see the privacy policy. For acceptable use questions, see the acceptable use policy. For service status during incidents, see the status page.

RUN YOUR FIRST AUDIT FREE

See Crawlux on your own crypto site.

No signup, no credit card. Full Web3-tuned audit report in 60 seconds.

Free first audit · No signup · 60 seconds · Full PDF report