Security posture
Plain English. No theater. If something is on the roadmap rather than in production, we say so.
Encryption at rest
Every provider API key you upload is encrypted with AES-256-GCM before it touches our database. The encryption key is held server-side and rotated quarterly. Plaintext credentials never land in logs, audit trails, or backups.
Encryption in transit
All API traffic is HTTPS. Internal service-to-service calls inside our VPC use mutual TLS. Webhooks are signed with HMAC-SHA256.
Authentication
Passwords are hashed with bcrypt at cost factor 12. Sessions use signed JWTs in localStorage (no cookies, no CSRF surface). API keys are prefixed sr_ and scoped per organization with revocation.
Tenancy
Every database row carries an org_id, every repository query checks it, and every queue message uses org-sharded MessageGroupIds. A misrouted job fails closed (silent no-op), it never crosses tenants.
Backups
Postgres + analytics TimescaleDB run nightly snapshots to S3 with 30-day retention. Restore drills run quarterly.
Audit
Login, role change, API key creation, provider credential update, workflow edit — all recorded with actor + timestamp + IP. 90-day retention by default; longer retention available on request.
Vendor ToS
justcrawl orchestrates requests through providers you bring. Your relationship with Bright Data, Oxylabs, Nimble Way, Zyte, and Decodo is governed by their terms — we never act as a reseller.
Data residency
All production data is stored in AWS us-east-1. EU residency is on the roadmap; contact us if it is a procurement blocker.
Procurement
Email security@justcrawl.io with your questionnaire. Typical turnaround is 2 business days. We do not yet have SOC 2 — it is on the Q3 roadmap.