Security
Your labor rates are competitively sensitive — pricing your bids is the whole product. Here is how CrewMix actually protects them. No badges, no vague claims; this is what runs in production.
Encryption
All traffic is served over TLS (HTTPS), fronted by a reputable CDN with a web application firewall. Data is encrypted at rest in our managed database and file storage on reputable cloud infrastructure. Backups are encrypted and age out on a fixed retention schedule.
Account protection
Passwords are stored only as a strong, industry-standard one-way hash — never in plaintext, never recoverable. Sign-in is protected by a managed bot-protection challenge and a brute-force lockout with per-account throttling. Sessions are signed, rotated on every sign-in, and invalidated by password changes. Email verification is required before an account reaches the app.
Tenant isolation
Every row of business data is scoped to your organization, and the data layer enforces it with fail-loud guards: a query that is not organization-scoped fails in development and in our test suite rather than leaking across tenants. There is no shared data between customers.
Access control and audit
Role-based access control governs what each user can see and change, down to branch-level scoping. Every create, update, and delete is audit-logged — who changed what, and when — and administrators can review the trail in the app.
Application hardening
Every response carries a strict security-header set (Content-Security- Policy, HSTS, frame denial, MIME sniffing protection). The app serves no third-party CDN scripts — all code ships from our own origin, pinned and reviewed. CSRF protection covers every state-changing request.
Payments
Checkout and card management happen on Stripe's hosted, PCI-compliant pages. Card numbers never touch CrewMix servers.
Vendors
The full list of subprocessors and what each one sees is published in our Privacy Policy.
Reporting a vulnerability
If you believe you have found a security issue, email [email protected] — we read those first and will respond promptly. Machine-readable details live at /.well-known/security.txt.