Security & Privacy
Crispy gives you full control. Managed storage by default for features like Unibox and campaigns, with data you can export or delete anytime.
Your data, your rules
Managed storage by default so features like Unibox work out of the box. Export or delete your data anytime. For full data ownership or custom data residency, talk to us about enterprise deployment options.
No credential access
We never see your LinkedIn password. Authentication happens through a secure hosted flow. Your team connects their own accounts and controls their own scope.
API keys hashed at rest
API keys are stored as SHA-256 hashes. The plaintext key is shown once at creation and cannot be retrieved. Revoke any key instantly from the dashboard.
Permission scoping
Each connected profile has granular permission scopes. Restrict tools to read-only, outbound-only, or full access. Employees control their own scope.
Infrastructure
Hosted on Railway (US West). Database on Supabase with row-level security. All connections encrypted with TLS 1.3. No self-hosted components to patch.
GDPR compliant
Standard DPA available on request. One-click data deletion. For custom data residency or full ownership requirements, talk to us about enterprise deployment options.
What data touches our servers?
The short answer: almost nothing.
| Data type | Stored? | Details |
|---|---|---|
| Contacts & activities | Managed (default) | Stored for Unibox & campaigns. Export or delete anytime |
| LinkedIn credentials | Never | Handled by secure auth provider |
| API keys | SHA-256 hash only | Plaintext shown once, then discarded |
| Usage logs (tool name, timestamp) | 90 days | Rate limiting & analytics only |
| Email & billing | While active | Deleted within 30 days of account closure |
Security FAQ
Do you need a DPA (Data Processing Agreement)?
Yes. Managed storage (default) processes contact and activity data on your behalf. A standard DPA is available on request. For full data ownership or custom data residency, talk to us about enterprise deployment options.
What happens if Crispy gets breached?
Managed storage contains contacts and activity metadata - no LinkedIn passwords or API tokens. API keys are SHA-256 hashed at rest. For full data ownership or custom data residency, talk to us about enterprise deployment options.
Can my employer see my LinkedIn messages?
Only if you grant them access. Each team member controls their own permission scope. An admin can see usage logs (which tools were called) but message content is only accessible through the Unibox if the account is in their workspace.
How do daily safety limits work?
Crispy enforces per-profile daily action caps (connection requests, messages, posts) that stay within LinkedIn's acceptable usage patterns. These limits cannot be overridden, even by API.
Is Crispy SOC 2 certified?
Crispy itself is not SOC 2 certified. Our infrastructure runs on managed cloud providers (Railway for hosting, Supabase for the database) with encrypted connections and row-level security. For full data ownership or custom data residency, talk to us about enterprise deployment options.
Can I run a pentest against Crispy?
Yes. Contact us at [email protected] to coordinate. We welcome responsible disclosure.
The complete LinkedIn API. Ready when you are.
Connect your first LinkedIn profile in under 5 minutes. Every tool, every seat, no feature gates. Safe limits, warm-up, and full permission control built in.