Trust & security

Built on infrastructure you can audit.

Your customer list, warranty claim data, and payment records belong to you. We use industry-standard managed services so the security posture matches what you’d expect from any modern SaaS — without us hand-rolling the parts that should be off-the-shelf.

At a glance

How Crankshop handles your data.

Encrypted at rest and in transit

AES-256 at rest and TLS 1.3 in transit, both provided by our managed database and hosting platforms. Backups are encrypted with the same standards.

Per-shop isolation

Row-level security policies in Postgres restrict every query to the calling shop. Your data never commingles with another shop’s.

US-hosted

Application hosting and managed Postgres run in US regions. No offshore data residency.

Industry-standard auth

Authentication is handled by Supabase Auth with hashed, salted passwords. We never store passwords in any reversible form.

Two-factor authentication

TOTP-based 2FA is on the roadmap for all users. Today, account security relies on strong passwords, OAuth providers, and email-based magic links.

Card data never touches us

All payment info is tokenized by Stripe at the point of entry. We never see, log, or store card numbers — Crankshop is PCI SAQ A scoped.

Operational practices

The habits behind the posture.

Least-privilege production access

Production database access is restricted to the engineers who maintain it. Day-to-day customer data is read through the app under the same RLS policies your shop uses.

Error and uptime monitoring

Sentry captures application errors and Vercel monitors uptime. Issues are triaged during business hours; expanded on-call coverage is on the roadmap.

Managed backups

Daily encrypted backups via our managed Postgres provider. Point-in-time recovery is available on the underlying platform’s standard window.

Per-ticket audit trail

Every mutation on a ticket — status change, parts added, photos, payments, warranty events — writes an audit row to crankshop_ticket_events. You can review the full history of any ticket from the timeline view.

Membership-based access

Each user belongs to one or more shops via membership rows. Server-side route handlers verify membership before returning shop-scoped data.

Data export & deletion

Account and shop deletion is honored on request via support. Self-serve CSV export is on the roadmap — for now, ask us and we’ll get you a copy.

Compliance

Where we stand on the formal stuff.

SOC 2 Type II

Future goal

Crankshop is early-stage and not SOC 2 audited yet. We operate against the controls and will pursue an audit as the customer base warrants it.

GDPR / CCPA

Aligned

Crankshop is US-first, but the product respects data subject rights: access on request, correction in-app, deletion via support.

PCI DSS

SAQ A

Self-Assessment A via Stripe tokenization. We never touch a cardholder data environment.

Subprocessors

Public list

Every third-party we route data through is listed in our privacy policy. We update the list before adding new ones.

Incident response

Direct notification

Any confirmed security incident affecting your shop will be reported to you directly with what we know and what we’re doing about it.

State privacy laws

Honored on request

If a state-specific data subject right applies to your customers, the product can honor it; reach out and we’ll walk through the path.

Responsible disclosure

Found a vulnerability? Tell us.

We’d rather hear from a white-hat than from a customer. We acknowledge every report within one business day.

Email: support@crankshop.app. Please include steps to reproduce, impact, and whether you’d like public credit once a fix ships.

We don’t run a bounty program yet — founding bug-finders get shop hats and personal thanks. We’ll change that when we can afford it.

Security questions from your IT person?

We’ll answer anything — infrastructure, access controls, subprocessors, DR. Ask the IT person in your life to email support@crankshop.app.

See pricing Email security team