Security & Privacy
Crispy gives you full control. Managed storage by default for features like Unibox and campaigns. Bring your own database or fully stateless mode available on enterprise plans.
Your data, your rules
Managed storage by default so features like Unibox work out of the box. Bring your own Supabase database for full ownership, or switch to stateless mode where nothing is retained — both available on enterprise plans.
No credential access
We never see your LinkedIn password. Authentication happens through a secure hosted flow. Your team connects their own accounts and controls their own scope.
API keys hashed at rest
API keys are stored as SHA-256 hashes. The plaintext key is shown once at creation and cannot be retrieved. Revoke any key instantly from the dashboard.
Permission scoping
Each connected profile has granular permission scopes. Restrict tools to read-only, outbound-only, or full access. Employees control their own scope.
Infrastructure
Hosted on Railway (US West). Database on Supabase with row-level security. All connections encrypted with TLS 1.3. No self-hosted components to patch.
GDPR compliant
Standard DPA available on request. One-click data deletion. Bring-your-own-database and stateless mode available on enterprise plans for zero-retention requirements.
What data touches our servers?
The short answer: almost nothing.
| Data type | Stored? | Details |
|---|---|---|
| Contacts & activities | Managed (default) | Stored for Unibox & campaigns. BYOS or stateless mode available on enterprise |
| LinkedIn credentials | Never | Handled by secure auth provider |
| API keys | SHA-256 hash only | Plaintext shown once, then discarded |
| Usage logs (tool name, timestamp) | 90 days | Rate limiting & analytics only |
| Email & billing | While active | Deleted within 30 days of account closure |
Security FAQ
Do you need a DPA (Data Processing Agreement)?
Yes — managed storage (default) processes contact and activity data on your behalf. A standard DPA is available on request. Enterprise customers can switch to BYOS (data in your own Supabase) or stateless mode (no personal data processed, no DPA required) — talk to us.
What happens if Crispy gets breached?
Managed storage contains contacts and activity metadata - no LinkedIn passwords or API tokens. Enterprise customers on BYOS store data in their own Supabase instance, fully under their control. Enterprise customers on stateless mode have zero data exposure. API keys are SHA-256 hashed at rest.
Can my employer see my LinkedIn messages?
Only if you grant them access. Each team member controls their own permission scope. An admin can see usage logs (which tools were called) but message content is only accessible through the Unibox if the account is in their workspace.
How do daily safety limits work?
Crispy enforces per-profile daily action caps (connection requests, messages, posts) that stay within LinkedIn's acceptable usage patterns. These limits cannot be overridden, even by API.
Is Crispy SOC 2 certified?
Crispy itself is not SOC 2 certified. Our infrastructure runs on managed cloud providers (Railway for hosting, Supabase for the database) with encrypted connections and row-level security. Enterprise customers can also opt into BYOS or stateless mode, which removes data from our infrastructure entirely.
Can I run a pentest against Crispy?
Yes. Contact us at [email protected] to coordinate. We welcome responsible disclosure.
The complete LinkedIn API. Ready when you are.
Connect your first LinkedIn profile in under 5 minutes. Every tool, every seat, no feature gates. Safe limits, warm-up, and full permission control built in.