Security

Encryption, access control, GDPR compliance, and AI model security. No marketing fluff — just the facts.

Trusted by innovative companies

...and more clients across 6 countries

Data Handling

All data encrypted at rest (AES-256) and in transit (TLS 1.3)

PostgreSQL databases hosted on self-managed Kubernetes clusters

Daily automated backups with 30-day retention and point-in-time recovery

Data stored in EU-based data centers (Hetzner Cloud, Germany)

India-based data hosting available on request for clients requiring data localization

No client data stored on developer machines — remote development only

Access Control

Role-based access control (RBAC) across all systems

Multi-factor authentication (MFA) mandatory for all team members

SSH key-based access to production infrastructure

Authentik OIDC for centralized single sign-on

Quarterly access reviews with principle of least privilege

AI Model Security

Client data is never used to train AI models without explicit consent

On-device AI models run locally — data never leaves the device

API-based AI calls (Claude, OpenAI) go through our proxy with PII filtering

Model inputs and outputs logged for audit, never for training

Fine-tuned models are client-owned and can be self-hosted

Compliance

GDPR compliant: lawful basis, data minimization, right to erasure

DPDP Act 2023 (India) compliant: consent-based processing, grievance redressal, Data Protection Board oversight

Internal security policies aligned with SOC 2 and ISO 27001 principles

Internal security audits and code reviews on every project

Standard Data Processing Agreement (DPA) available at /dpa

Annual penetration testing by independent security firm

Incident Response

Documented incident response plan with defined severity levels

Critical incidents: customer notification within 24 hours

Post-incident reviews and root cause analysis for all P1/P2 events

Automated alerting via Prometheus + Grafana on all production systems

Security contact: [email protected]

Subprocessors

Only services that touch client data are listed. Since we self-host on K8s with standard PostgreSQL, our subprocessor list is minimal.

Service	Purpose	Location	Compliance
Hetzner Cloud	Kubernetes cluster hosting	Germany	ISO 27001, SOC 2
Self-managed PostgreSQL	Primary database	Hetzner (Germany)	Self-managed, encrypted
Anthropic (Claude API)	AI model inference	US	SOC 2 Type II
OpenAI	AI model inference	US	SOC 2 Type II
Google (Gemini API)	AI model inference	US	SOC 2 Type II
Vercel	Application deployment	US	SOC 2 Type II
Pinecone	Vector database (select projects)	US	SOC 2 Type II
AWS S3 / S3-compatible	Media and file storage	EU / US	SOC 2, ISO 27001
SMTP Provider	Transactional email	EU	GDPR compliant

Frequently Asked Questions

Is Cropsly GDPR compliant?

Yes. We follow GDPR principles including lawful basis for processing, data minimization, and right to erasure. Our standard Data Processing Agreement (DPA) is available at /dpa.

Does Cropsly use client data to train AI models?

No. Client data is never used for AI model training without explicit consent. API-based AI calls go through our proxy with PII filtering, and all model inputs/outputs are logged for audit only.

Where is client data stored?

All client data is stored in EU-based data centers (Hetzner Cloud, Germany) on self-managed Kubernetes clusters with PostgreSQL databases. No client data is stored on developer machines.

What encryption does Cropsly use?

We use AES-256 encryption at rest and TLS 1.3 for data in transit. Databases include daily automated backups with 30-day retention and point-in-time recovery.

Does Cropsly follow security standards?

Our internal security policies are aligned with SOC 2 and ISO 27001 principles. We comply with GDPR (EU) and the DPDP Act, 2023 (India). We conduct internal security audits and code reviews on every project, plus annual penetration testing by an independent security firm.

Questions About Security?

We're happy to walk through our security practices. Our standard DPA is available at cropsly.com/dpa.

Get in Touch

Last updated: March 2026. Questions? Email [email protected].