Security

Last updated: January 2026

1. Security Overview

Security is fundamental to how we build and operate Crawfish API. We employ industry-standard practices to protect your data, API keys, and ensure the integrity of our service.

🛡️ Our Security Principles:

  • Minimize data collection - we don't store your prompts or responses
  • Encrypt everything - at rest and in transit
  • Defense in depth - multiple layers of security
  • Principle of least privilege - minimal access by default
  • Transparency - clear policies and honest commitments

2. Encryption

🔒 At Rest

AES-256

All stored data encrypted with AES-256-GCM

🌐 In Transit

TLS 1.3

All connections encrypted with TLS 1.3 (minimum TLS 1.2)

What's Encrypted:

  • Database contents
  • API keys (encrypted before storage)
  • File system data
  • Backups
  • All API communications
  • Dashboard sessions

3. API Key Security

API keys are the most sensitive piece of data in our system. We treat them with extra care:

🔑 Key Protection Measures:

  • Encrypted at rest using AES-256 before storage
  • Never logged in full - only last 4 characters shown
  • Transmitted only over encrypted connections
  • Hashed using SHA-256 for verification
  • Regeneratable at any time
  • Individual keys per user/team with granular permissions

⚠️ Key Security Best Practices:

  • Never commit API keys to version control
  • Use environment variables, not hardcoded values
  • Rotate keys periodically
  • Use separate keys for development and production
  • Set spending limits on keys
  • Monitor usage for anomalies

4. Data Privacy & Prompt Handling

We have a strict policy regarding your prompts and responses:

✅ What We DO:

  • Forward your requests directly to model providers
  • Log token usage (counts only, not content) for billing
  • Store minimal data required for service operation
  • Support zero-logging mode (where available)

❌ What We DON'T DO:

  • Store the content of your prompts
  • Store model responses
  • Cache or retain request/response data
  • Analyze your prompts for any purpose
  • Share your prompts with third parties
  • Use your data to train models

Model Provider Data Policies:

Your prompts are sent directly to model providers (OpenAI, Anthropic, etc.). Their data policies apply during processing:

5. Access Control

We implement strict access controls at multiple levels:

🔐 Multi-Layer Access Control:

  • Role-Based Access Control (RBAC): Users have defined roles with specific permissions
  • API Key Hierarchy:
    • - Master Key: Full account access
    • - User Keys: Individual user permissions
    • - Spend Limit Keys: Capped spending
  • IP Allowlisting: Optional IP-based access restrictions (enterprise)
  • Multi-Factor Authentication: Available for account security

Internal Access:

  • Employees require MFA for internal systems
  • SSH access uses key-based authentication only
  • Production access is logged and audited
  • Least privilege principle applied

6. Audit Logging

Comprehensive logging for security and compliance:

Logged Events:

  • Authentication events (login, logout, failures)
  • API key creation, rotation, deletion
  • Account changes (settings, team members)
  • Billing and payment events
  • Admin actions (internal)
  • Security events (suspicious activity)

What We Don't Log:

The actual content of your prompts or model responses. We only log metadata such as token counts for billing purposes.

7. Infrastructure Security

Our infrastructure is hosted on secure, enterprise-grade cloud services:

🏢 Hosting:

  • Provider: Tencent Cloud (Singapore region)
  • Server Location: Singapore
  • Type: Cloud servers with managed services

Infrastructure Protections:

  • Network firewalls and security groups
  • DDoS protection
  • WAF (Web Application Firewall)
  • Automatic security patching
  • Regular vulnerability scanning
  • Intrusion detection systems

8. Compliance & Certifications

✅ Currently Implemented:

  • GDPR compliance for EU users
  • CCPA compliance for California residents
  • Data Processing Agreements (DPAs) available
  • Industry-standard security practices
  • Privacy-by-design principles

📋 In Roadmap:

  • SOC 2 Type II: In planning phase, expected timeline TBD
  • ISO 27001: Consideration phase
  • Penetration Testing: Scheduled quarterly

Contact us for security questionnaires or additional compliance documentation.

9. Vulnerability Reporting

We welcome responsible disclosure of security vulnerabilities:

Report a Vulnerability:

If you discover a security vulnerability, please report it responsibly:

What to Include:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact assessment
  • Any suggested fixes (optional)

Out of Scope:

  • Denial of service attacks
  • Social engineering
  • Physical security issues
  • Vulnerabilities in third-party services

10. Contact

For security-related inquiries:

General Security: admin@crawfish.top

Urgent Issues: security@crawfish.top