Built secure by default. Audited as we grow.
AutomatticCRM holds your customer data — we treat that responsibility as the most important thing we do.
Encryption
Data is encrypted in transit (TLS 1.3) and at rest (AES-256). Database backups are encrypted with separate keys and rotated quarterly.
Access control
Role-based access control on every paid plan. SSO via SAML and SCIM provisioning available on Enterprise. All admin actions are audit-logged.
AI privacy
Your data is never used to train public AI models. Your AI provider key — OpenAI, Anthropic, Gemini, or Ollama — is your choice; data flows through your account, not ours.
Tenant isolation
AutomatticCRM is multi-tenant with strict per-organization scoping. Every query is constrained at the ORM layer; no cross-tenant data exposure is possible.
Backups & DR
Daily encrypted backups, retained 30 days. RPO < 24h. Point-in-time recovery available within the retention window.
Compliance
SOC 2 Type II audit in progress (target: end of year). GDPR-ready out of the box. DPA available on request.
Vulnerability disclosure
Responsible disclosure: report security issues to security@automatticcrm.com. We acknowledge within 1 business day and ship fixes in coordinated time windows.
Subprocessors
AutomatticCRM uses AWS, Stripe, and the AI provider you select. Full subprocessor list in our DPA. We notify on 30 days' notice for changes.
Reporting a vulnerability
Email security@automatticcrm.com. PGP key available on request. We pay bounties for valid reports.
security@automatticcrm.com