Log inStart a project ->
WebsitesSaaSAI integrationCustom web appsSystemsE-commerceClient portalsWebsite rescueCare plansProcessWorkFAQLog inStart a project ->

Security

Security Practices

Client data and project files are held to a high standard of care. This page documents the infrastructure, access controls, and practices we maintain.

Last updated: May 4, 2026

Infrastructure

  • Hosted on Vercel with automatic HTTPS, DDoS protection, and global edge delivery.
  • Database, authentication, and file storage powered by Supabase on AWS (US-East region).
  • Row-level security (RLS) policies are enforced at the database layer — no query executes without permission validation.

Encryption

  • All data in transit is encrypted with TLS 1.2 or higher. HTTPS is enforced on every route.
  • Data at rest is encrypted with AES-256 via AWS-managed keys.
  • Passwords are never stored by CrecyStudio. Client workspace access uses signed token links, not passwords.

Client workspace access

  • Each workspace is accessible via a unique cryptographically signed token — no shared login credentials.
  • Tokens expire after 30 days of inactivity and require re-authentication after expiry.
  • Admin access runs on a completely separate authentication path from client workspaces.

Data isolation

  • Each client's data is isolated by row-level security policies — no client can access another client's data.
  • File storage uses per-project access controls. Only authenticated parties with a valid token for that project can access its files.

Backups and recovery

  • Daily automated database backups with 7-day retention.
  • Point-in-time recovery is available within the active retention window.
  • Backups are stored in the same encrypted AWS environment as live data.

Sub-processors

Data is shared only with the vendors required to operate our platform. Each is contractually bound to protect your data.

Vercel
Hosting and edge delivery
Global
Supabase
Database, auth, and storage
AWS US-East
Stripe
Payment processing
United States
Resend
Transactional email
United States

What we don't do

  • We don't sell, share, or license client data to any third party.
  • We don't subcontract development work. Komlan is the only person with access to client environments and source code.
  • We don't retain client data indefinitely. Projects are archived after 1 year and deleted after 3 years unless legally required otherwise.
  • We don't store payment card data. All payment processing is handled entirely by Stripe.

Your responsibilities

  • Keep your workspace link private. Do not forward it to anyone not part of your project team.
  • Use a private or incognito browser session when accessing your workspace on a shared device.
  • Report any suspicious activity immediately to hello@crecystudio.com.
  • Remove workspace access for team members who leave your organisation.

Vulnerability disclosure

To report a security concern, email hello@crecystudio.com with subject line "Security". We acknowledge all reports within 48 hours and aim to resolve confirmed vulnerabilities within 72 hours.

Report a concern