Security

Security is a core part of how we build and operate CrunchJunky. The measures described below are maintained continuously and reviewed at least annually.

All data in transit is encrypted using TLS 1.2 or higher, with HSTS enforced. Sensitive values at rest — including OAuth access and refresh tokens, and AI API keys — are encrypted with AES-256 before database storage. Passwords are hashed with bcrypt (cost factor 12) and never stored in plain text.

Every database query in the platform is scoped to the authenticated user's team ID at the application layer. Cross-tenant data access is architecturally prevented — it is not possible for one organisation's data to be accessed by another.

Production database and infrastructure access is restricted to a minimal set of authorised personnel. Multi-factor authentication (MFA) is mandatory for all production access. Access events are logged and reviewed periodically. Access rights are revoked promptly on personnel changes.

Authentication endpoints and sensitive API routes are rate-limited per IP to protect against credential stuffing and brute-force attacks. CSRF protection is enforced on all state-changing operations.

The platform is hosted on Vercel's edge infrastructure and Neon's managed PostgreSQL service, both with EU data regions (Frankfurt). Both providers maintain their own security certifications and DPAs.

We maintain a documented incident-response process. In the event of a personal data breach affecting customer data, we will notify affected customers within 72 hours of discovery as required by Art. 33 GDPR.

If you discover a security vulnerability, please report it responsibly to hello@crunchjunky.io with the subject line "Security Report". We will: • Acknowledge your report within 48 hours. • Aim to resolve critical vulnerabilities within 72 hours. • Keep you informed of our progress. Please do not publicly disclose the issue until we have had a reasonable opportunity to address it. We do not currently operate a bug-bounty programme, but we deeply appreciate responsible disclosures.