Security & Privacy
Crispy never stores your LinkedIn data. Not temporarily, not in a cache, not in a log. Your data flows through and is returned to your AI client. That’s it.
Zero data retention
LinkedIn data flows through Crispy and is returned to your AI client. Nothing is cached, stored, or logged on our servers. Ever.
No credential access
We never see your LinkedIn password. Authentication happens through a secure hosted flow. Your team connects their own accounts and controls their own scope.
API keys hashed at rest
API keys are stored as SHA-256 hashes. The plaintext key is shown once at creation and cannot be retrieved. Revoke any key instantly from the dashboard.
Permission scoping
Each connected profile has granular permission scopes. Restrict tools to read-only, outbound-only, or full access. Employees control their own scope.
Infrastructure
Hosted on Vercel (SOC 2 Type II). Database on Supabase (SOC 2 Type II, row-level security). All connections encrypted with TLS 1.3. No self-hosted components to patch.
GDPR by architecture
No data processing agreement needed — we don't process personal data. Nothing is stored, so nothing can be breached, leaked, or subpoenaed. Compliant by default.
What data touches our servers?
The short answer: almost nothing.
| Data type | Stored? | Details |
|---|---|---|
| LinkedIn messages, posts, contacts | Never | Real-time pass-through only |
| LinkedIn credentials | Never | Handled by secure auth provider |
| API keys | SHA-256 hash only | Plaintext shown once, then discarded |
| Usage logs (tool name, timestamp) | 90 days | Rate limiting & analytics only |
| Email & billing | While active | Deleted within 30 days of account closure |
Security FAQ
Do you need a DPA (Data Processing Agreement)?
No. Crispy does not store, process, or retain any LinkedIn personal data. We act as a real-time pass-through. Since no personal data is processed on our servers, a DPA is not required under GDPR.
What happens if Crispy gets breached?
There is no LinkedIn data to steal. The only data we store is your email, hashed API keys, and Stripe subscription metadata. No messages, no contacts, no profile data.
Can my employer see my LinkedIn messages?
Only if you grant them access. Each team member controls their own permission scope. An admin can see that tools were called (usage logs) but cannot read message content — we don't store it.
How do daily safety limits work?
Crispy enforces per-profile daily action caps (connection requests, messages, posts) that stay within LinkedIn's acceptable usage patterns. These limits cannot be overridden, even by API.
Is Crispy SOC 2 certified?
Crispy itself is not SOC 2 certified. However, our entire infrastructure runs on SOC 2 Type II certified providers (Vercel and Supabase). Combined with our zero-data-retention architecture, the effective security posture meets or exceeds most SOC 2 requirements.
Can I run a pentest against Crispy?
Yes. Contact us at security@shyft.ai to coordinate. We welcome responsible disclosure.
Stop paying €99/seat for tools that don’t talk to AI
Connect your first LinkedIn profile in under 5 minutes. All 52 tools from €19/mo.