Security & Privacy
Crispy gives you full control. Managed storage by default for features like Unibox and campaigns. Bring your own database for complete ownership. Or go fully stateless - your choice.
Your data, your rules
Managed storage by default so features like Unibox work out of the box. Bring your own Supabase database for full ownership, or switch to stateless mode where nothing is retained.
No credential access
We never see your LinkedIn password. Authentication happens through a secure hosted flow. Your team connects their own accounts and controls their own scope.
API keys hashed at rest
API keys are stored as SHA-256 hashes. The plaintext key is shown once at creation and cannot be retrieved. Revoke any key instantly from the dashboard.
Permission scoping
Each connected profile has granular permission scopes. Restrict tools to read-only, outbound-only, or full access. Employees control their own scope.
Infrastructure
Hosted on Vercel (SOC 2 Type II). Database on Supabase (SOC 2 Type II, row-level security). All connections encrypted with TLS 1.3. No self-hosted components to patch.
GDPR compliant
Full data portability via Bring Your Own Database. One-click data deletion. Stateless mode available for zero-retention requirements. Compliant by design, not by policy.
What data touches our servers?
The short answer: almost nothing.
| Data type | Stored? | Details |
|---|---|---|
| Contacts & activities | Managed (default) | Stored for Unibox & campaigns. BYOS or stateless mode available |
| LinkedIn credentials | Never | Handled by secure auth provider |
| API keys | SHA-256 hash only | Plaintext shown once, then discarded |
| Usage logs (tool name, timestamp) | 90 days | Rate limiting & analytics only |
| Email & billing | While active | Deleted within 30 days of account closure |
Security FAQ
Do you need a DPA (Data Processing Agreement)?
If you use managed storage (default) or BYOS, Crispy processes contact and activity data on your behalf. A standard DPA is available on request. In stateless mode, no personal data is processed and no DPA is required.
What happens if Crispy gets breached?
Managed storage contains contacts and activity metadata - no LinkedIn passwords or API tokens. BYOS users store data in their own Supabase instance, fully under their control. Stateless mode users have zero data exposure. API keys are SHA-256 hashed at rest.
Can my employer see my LinkedIn messages?
Only if you grant them access. Each team member controls their own permission scope. An admin can see usage logs (which tools were called) but message content is only accessible through the Unibox if the account is in their workspace.
How do daily safety limits work?
Crispy enforces per-profile daily action caps (connection requests, messages, posts) that stay within LinkedIn's acceptable usage patterns. These limits cannot be overridden, even by API.
Is Crispy SOC 2 certified?
Crispy itself is not SOC 2 certified. However, our entire infrastructure runs on SOC 2 Type II certified providers (Vercel and Supabase). Combined with BYOS and stateless mode options, the effective security posture meets or exceeds most SOC 2 requirements.
Can I run a pentest against Crispy?
Yes. Contact us at support@crispy.sh to coordinate. We welcome responsible disclosure.
The complete LinkedIn API. Ready when you are.
Connect your first LinkedIn profile in under 5 minutes. All 164 tools. Safe limits, warm-up, and full permission control built in.