Trust Center

Security Overview

Crawdad is a security-first platform designed for teams deploying autonomous AI agents. Every component is built with a zero-trust posture: all data is encrypted end-to-end, all actions are logged cryptographically, and no plaintext is ever accessible to Crawdad operators. The system is implemented in Rust for memory safety and uses only audited cryptographic libraries.

Encryption

• TLS 1.3 for all connections in transit, with no fallback to older protocol versions.
• CRYSTALS-Kyber1024 (NIST FIPS 203) post-quantum key encapsulation for key exchange, protecting data against harvest-now-decrypt-later attacks.
• AES-256-GCM encryption at rest for all stored data, with per-tenant key isolation.
• Zero-knowledge architecture — encryption keys are derived from your master password, which we never store. Crawdad cannot read your data even if compelled legally.
• Forward secrecy — ephemeral session keys are rotated per connection, ensuring that compromise of a long-term key does not expose past sessions.

Access Controls

• API keys — scoped, rotatable tokens for SDK and REST API access. Each key is bound to a single project and can be revoked instantly.
• Admin keys — separate elevated credentials for account management, billing, and configuration changes. Never used for runtime operations.
• Audit trail — every access event (login, key creation, key rotation, policy change) is recorded in the immutable audit log.
• Least privilege — all internal services run with minimal permissions. No service has access to another service's data unless explicitly required.

Audit Logging

• Immutable log — audit records are append-only and cannot be modified or deleted by any user, including administrators.
• SHA-256 Merkle chain — each log entry is chained to the previous entry using SHA-256 hashes, forming a tamper-evident Merkle chain. Any modification to a past entry invalidates all subsequent hashes.
• Ed25519 signed — every log entry is digitally signed with Ed25519, providing cryptographic proof of authenticity and non-repudiation.
• Retention — 7 days on Free tier, 30 days on Pro tier, 90 days on Business tier, unlimited on Enterprise. Logs are exportable in JSON format at any time.

Incident Response

• 4-hour alert window — all affected customers are notified within 4 hours of confirmed security incident detection.
• Public advisories — security advisories are published at getcrawdad.dev/docs/advisories.html with full technical detail.
• Responsible disclosure — we follow coordinated disclosure practices and credit researchers who report vulnerabilities.

Compliance

• GDPR compliant — data processing agreements available, data residency controls, right to erasure supported.
• SOC 2 Type II — audit in progress, expected completion Q4 2026
• FedRAMP — on roadmap for 2027
• HIPAA — Business Associate Agreements available on Business tier and above.

Penetration Testing

• Professional third-party penetration test planned for Q3 2026.
• Results will be published publicly in full, with no redactions beyond researcher-requested coordination delays.

Responsible Disclosure

If you discover a security vulnerability in Crawdad, please report it through the contact form at getcrawdad.dev. We commit to a 24-hour initial response and will work with you to understand and resolve the issue before any public disclosure. We do not pursue legal action against good-faith security researchers.

Contact

For security questions, vulnerability reports, or compliance inquiries: