Security and trust

Built for customers who need evidence-linked records they can audit.

CrowdAlpha delivers action-ready Planetary Model context to people, agents, and systems that need provenance, scoped access, auditability, and clear boundaries. Security review is part of serious enterprise evaluation, not a side document.

View sub-processorsReport vulnerability

Controls

Practical controls for scoped, audited access.

TLS 1.2+ for traffic and HSTS on public surfaces.

Encryption at rest through the deployment and database platforms.

Credentials and keys are kept out of source control and managed through deployment controls.

Server-side access-scope checks before restricted data, evidence, or integration outputs are returned.

Rate limiting on sensitive auth routes with fail-closed behavior on limiter failure.

CSRF protection on state-changing web routes.

Audit logging for privileged actions, access changes, and security-sensitive operations.

Dependency and code scanning for known vulnerable packages and risky changes.

Account deletion removes or anonymizes user-linked product data subject to legal and audit retention.

Enterprise diligence

Security review

Architecture, controls, access model, logging, and data-flow questions for approved evaluations.

Sub-processors

Current vendor list and data-handling purpose published for customer review.

Enterprise terms

Commercial contracts can cover permitted use, retention, support, confidentiality, and workflow scope.

Responsible disclosure

Security reports go to security@crowdalpha.ai with an acknowledgement target of 3 business days.

Assurance roadmap

Third-party assurance roadmap shared during approved enterprise review; no public certification claim is made.

External penetration test program targeted for the same assurance window.

Customer-managed encryption key options for enterprise deployments.

Expanded MFA options for end-user accounts.

Dedicated public incident-history and uptime reporting.

Managed bug-bounty program after initial disclosure process matures.

Responsible disclosure

Email security@crowdalpha.ai with a clear reproduction. We aim to acknowledge within 3 business days and remediate critical findings within 30 days. Good-faith researchers who give us a reasonable disclosure window are welcome.

Out of scope: social engineering, physical attacks, DDoS, AI model extraction, and secondary issues that require a compromised endpoint to reach.