Crankshop

Trust & security

Enterprise-grade protection for an honest shop.

Your customer list, your warranty claim data, your payments — they’re not ours, they’re not for sale, and they’re protected the way you’d protect them yourself.

At a glance

How Crankshop handles your data.

Encrypted end to end

AES-256 at rest, TLS 1.3 in transit. No exceptions. No unencrypted backups.

Per-shop isolation

Row-level security enforced at the database layer. Your data never commingles with another shop’s.

US-based infrastructure

Managed Postgres in US regions. No offshore data residency. Regional failover inside the US.

Argon2id passwords

Passwords hashed with argon2id — the modern standard — with per-user salts. No reversible hashes, ever.

Two-factor authentication

TOTP-based 2FA available for all users. Required for the Owner role on every plan.

Card data never touches us

All payment info is tokenized by Stripe at the point of entry. We never see, log, or store card numbers.

Operational practices

The habits behind the posture.

Least-privilege access

Engineer access to production is scoped, time-bound, and logged. Customer data is never read without cause.

Continuous monitoring

Sentry, uptime probes, query-level anomaly detection. On-call rotates 24/7 for Pro customers.

Daily backups, 30-day retention

Point-in-time recovery within the last 7 days. Full encrypted backups for 30 days. Restore tested monthly.

Audit log (7-year retention)

Every mutation on a ticket, customer, payment, or warranty claim writes an immutable audit event.

Roles & session controls

Owner, Counter, Technician, Viewer — every route scoped. Session timeout and revocation are cookie-backed.

Data export & deletion

Full CSV export on demand. Account deletion is honored within 14 days and confirmed in writing.

Compliance

Where we stand on the formal stuff.

SOC 2 Type II

In progress

Year-2 goal. We operate to the controls today — the audit timeline catches up. We’ll publish the report when it lands.

GDPR / CCPA

Aligned

US-first, but the product respects data subject rights: access, correction, deletion, portability.

PCI DSS

SAQ A

Self-Assessment A via Stripe tokenization. We never touch a cardholder data environment.

State privacy laws

Yes

California, Colorado, Connecticut, Virginia, Utah — all covered. We treat everyone like a California resident, even if they aren’t.

Subprocessors

Public list

Every third-party we pass data through is published in our privacy policy. No silent changes.

Incident response

72-hour commitment

Any confirmed security incident is reported to affected shops within 72 hours with a written post-mortem.

Responsible disclosure

Found a vulnerability? Tell us.

We’d rather hear from a white-hat than from a customer. We acknowledge every report within one business day.

Email: security@crankshop.app. Please include steps to reproduce, impact, and whether you’d like public credit once a fix ships.

We don’t run a bounty program yet — founding bug-finders get shop hats and personal thanks. We’ll change that when we can afford it.

Security questions from your IT person?

We’ll answer anything — infrastructure, access controls, subprocessors, DR. Ask the IT person in your life to email security@crankshop.app.

See pricingEmail security team