Security

Last Updated: March 4, 2026

At Autocrew, security is foundational to everything we build. This page describes the technical and organizational measures we use to protect your data and ensure the integrity of our platform.

Security Overview

Autocrew is built with a security-first architecture designed to meet the demands of enterprise customers handling sensitive data. Our security program encompasses:

• Defense in depth: Multiple layers of security controls across infrastructure, application, and data layers
• Zero-trust principles: Every request is authenticated and authorized regardless of origin
• Continuous monitoring: Real-time threat detection and automated incident response
• Regular auditing: Independent third-party security assessments and penetration testing

Encryption

All customer data is encrypted both at rest and in transit using industry-leading cryptographic standards.

Data at Rest

• AES-256 encryption for all stored data including databases, file storage, and backups
• Encrypted database volumes with provider-managed or customer-managed keys
• Encrypted backups stored in geographically separate regions
• Secure key storage using Hardware Security Modules (HSMs)

Data in Transit

• TLS 1.3 enforced for all client-to-server and server-to-server communications
• HTTP Strict Transport Security (HSTS) with long-duration max-age directives
• Certificate pinning for API connections to critical services
• Forward secrecy enabled on all TLS connections

Key Management

• Encryption keys managed through dedicated Hardware Security Modules (HSMs)
• Automated key rotation on a 90-day cycle
• Strict separation between key management infrastructure and data storage
• Key access restricted to authorized security personnel with audit logging

Infrastructure and Architecture

Autocrew runs on enterprise-grade cloud infrastructure with multiple layers of protection:

• Multi-region deployment: Infrastructure distributed across multiple availability zones for high availability and disaster recovery
• Network segmentation: Strict firewall rules and network policies isolate production, staging, and development environments
• DDoS protection: Enterprise-grade DDoS mitigation at the network and application layers
• Container isolation: Tenant workloads run in isolated containers with resource limits and security policies
• Disaster recovery: Defined Recovery Point Objective (RPO) and Recovery Time Objective (RTO) with automated failover procedures
• Immutable infrastructure: Infrastructure deployed as code with automated provisioning, reducing configuration drift and human error

Access Control

Role-Based Access Control

• Granular, role-based permissions following the principle of least privilege
• Workspace-level access controls for team management
• API key scoping with fine-grained permission sets
• Regular access reviews and automated deprovisioning

Authentication

• Multi-factor authentication (MFA) enforced for all accounts
• Single Sign-On (SSO) support via SAML 2.0 and OpenID Connect (OIDC)
• Secure session management with configurable timeout policies
• Brute-force protection with progressive rate limiting and account lockout

Administrative Access

• Just-in-time (JIT) privileged access — no standing admin credentials
• All administrative actions logged with immutable audit trails
• Separate authentication for production system access
• Mandatory peer approval for sensitive operations

Incident Response

Autocrew maintains a comprehensive incident response program to detect, contain, and remediate security events:

• 24/7 monitoring: Dedicated security operations with around-the-clock threat monitoring and alerting
• Severity classification: Defined severity levels (P1 through P4) with corresponding response SLAs and escalation procedures
• Customer notification: Affected customers notified within 72 hours of confirmed data breaches, in compliance with GDPR and applicable regulations
• Post-incident review: Root cause analysis and remediation tracking for every security incident, with findings incorporated into security controls
• Tabletop exercises: Regular incident response drills to test and improve response readiness

Monitoring and Logging

• Centralized logging: All system, application, and security logs aggregated in a centralized platform with structured indexing
• SIEM integration: Security Information and Event Management system for correlation, alerting, and investigation
• Anomaly detection: Machine learning-based anomaly detection to identify suspicious patterns and potential threats
• Audit trail retention: Security-relevant logs retained for a minimum of 12 months with integrity protections
• Real-time alerting: Automated alerts for suspicious activities including unauthorized access attempts, configuration changes, and data exfiltration patterns

Vulnerability Management

• Penetration testing: Annual third-party penetration tests supplemented by continuous automated vulnerability scanning
• Responsible disclosure: Public responsible disclosure program for security researchers to report vulnerabilities
• Patch management: Critical vulnerabilities patched within 24 hours; high-severity within 7 days; medium and low within 30 days
• Dependency scanning: Automated dependency scanning integrated into CI/CD pipelines to catch vulnerable packages before deployment
• Static analysis: Automated static application security testing (SAST) as part of the development workflow

Employee Security

• Background checks: Comprehensive background screening for all employees with access to customer data or production systems
• Security training: Mandatory security awareness training at onboarding and annually, with role-specific secure development training for engineers
• Endpoint protection: Company-managed devices with full-disk encryption, endpoint detection and response (EDR), and mobile device management (MDM)
• Offboarding: Immediate access revocation upon termination, with device recovery and credential rotation

Third-Party Risk Management

We carefully evaluate and monitor all third-party vendors and subprocessors that interact with customer data:

• Vendor assessments: Security questionnaires, SOC 2 report reviews, and risk scoring for all vendors before onboarding
• Contractual requirements: Data Processing Agreements (DPAs) and security addenda required for all subprocessors
• Ongoing monitoring: Annual reassessment of vendor security posture with continuous monitoring for critical vendors
• Change notification: Customers notified of material changes to subprocessors that handle their data

Data Handling and Privacy Safeguards

• Data classification: All data classified by sensitivity level (public, internal, confidential, restricted) with corresponding handling requirements
• Data minimization: We collect and retain only the data necessary to deliver our services
• Tenant isolation: Strict logical separation of customer data with tenant-scoped access controls at every layer
• Secure deletion: Cryptographic erasure and secure overwrite procedures when data is deleted or when a customer offboards
• Privacy safeguards: For detailed information about how we handle personal data, see our Privacy Policy

Contact Us

If you have questions about our security practices or need to report a security concern, please contact us: