Security

How we protect your data

Last updated: May 15, 2026

Security is a foundational concern at Crate, not an afterthought. Every architectural decision — from service decomposition to database design — considers data protection as a primary constraint. Here is how we keep your warehouse data safe.

Infrastructure

Crate runs on enterprise-grade cloud infrastructure in a dedicated, isolated environment. Our infrastructure is designed with defense in depth:

  • All services run in private networks with no direct public internet access
  • Databases are not publicly accessible — they are reachable only from within the cluster
  • Containers run as non-root users with read-only filesystems and dropped capabilities
  • Ingress traffic is routed through a managed load balancer with TLS termination

Encryption

All data is encrypted both in transit and at rest:

  • In transit: TLS 1.2 or higher for all connections, including API traffic, browser sessions, and inter-service communication
  • At rest: AES-256 encryption at rest for all database storage and backups

Authentication

Access to Crate is controlled through a dedicated authentication service:

  • JWT-based session tokens with short expiry and refresh rotation
  • Passwords hashed using bcrypt with appropriate cost factors
  • Role-based access control (RBAC) at the organization level
  • API authentication via bearer tokens with per-key permissions

Application Security

Our application layer follows industry best practices to prevent common vulnerabilities:

  • Strict input validation on all API endpoints
  • Parameterized database queries — no string concatenation in SQL
  • Adherence to the OWASP Top 10 security guidelines
  • Dependency scanning for known vulnerabilities
  • Security headers on all HTTP responses (HSTS, CSP, X-Frame-Options)

Data Isolation

Crate is multi-tenant by design, with strict per-organization data isolation. Every database query is scoped by organization ID. The API gateway stamps tenant context on every request, and there is no code path that permits cross-tenant data access. Each service enforces isolation independently — a misconfiguration in one service cannot expose data from another tenant through a different service.

Monitoring

We maintain continuous visibility into the health and security of our systems:

  • Structured application logging across all services
  • Health check endpoints with automated alerting on failures
  • Real-time metrics for resource utilization and request patterns
  • Uptime monitoring with incident response procedures

Responsible Disclosure

If you discover a security vulnerability in Crate, we ask that you disclose it responsibly. Please report vulnerabilities to security@cratewms.com with the following information:

  • Description of the vulnerability and its potential impact
  • Steps to reproduce the issue
  • Any relevant screenshots or proof of concept

We will acknowledge receipt within 48 hours and work with you to understand and address the issue. We will not take legal action against researchers who follow responsible disclosure practices.