Security at Cruxtro

Last updated: Oct 20, 2025

At Cruxtro, we believe trust is the foundation of intelligent collaboration.

Our platform is built with privacy, data integrity, and enterprise-grade security at its core — so your product data stays safe, encrypted, and fully under your control.

This document outlines how we secure your data across every layer of the Cruxtro stack.

1. Infrastructure Security

Cruxtro runs on a modern, cloud-native architecture hosted entirely on Google Cloud Platform (GCP) — using secure, isolated environments for every component of our system.

ComponentPlatformSecurity Highlights
BackendGoogle Cloud RunContainerized microservices deployed in a fully managed, auto-scaling environment. Each service is authenticated using IAM and service accounts.
DatabaseCloud SQL for PostgreSQLData encrypted at rest and in transit (AES-256 & TLS 1.3). Access restricted via private VPC and IAM roles.
FrontendVercelServed securely over HTTPS with automatic SSL/TLS certificates. CI/CD pipelines ensure verified and integrity-checked builds.
AuthenticationClerkManages user authentication, registration, and sessions using industry-standard encryption and compliance. Provides built-in support for SSO, 2FA, and session management.

2. Data Encryption

  • At Rest: All data is encrypted using AES-256 encryption.
  • In Transit: All communication between client, server, and database is protected using TLS 1.2+.
  • Workspace Data: Workspaces are logically isolated; each has its own scoped permissions.
  • Third-Party Tokens: OAuth and integration tokens (e.g., Notion, Jira, Slack) are encrypted with Google Secret Manager and never stored in plaintext.

3. Secret & Key Management

All credentials, API keys, and environment variables are managed using Google Secret Manager, ensuring:

  • Fine-grained IAM-based access control
  • Secret versioning and rotation
  • Full access logs and audit trails
  • Zero plaintext secrets in code or environment

Only specific backend services can access secrets, and only for the duration of authorized operations.

4. AI Model Security

Cruxtro uses Google Cloud AI to power product intelligence, summarization, and insight generation.

AI interactions are processed through ephemeral and encrypted sessions, ensuring:

  • Zero data retention when Private Mode is enabled
  • Encryption of all inputs and outputs via TLS
  • Strict isolation between workspaces and model contexts
  • No data used for model training, unless explicitly permitted by the user

Cruxtro never sends your data to external AI systems for training.

5. Payment Security

Cruxtro uses Razorpay for secure payment processing. Razorpay is PCI DSS Level 1 compliant — the highest level of payment security certification.

  • Cruxtro does not store or process any raw card data.
  • All payment transactions are encrypted and handled directly by Razorpay.
  • Razorpay’s systems comply with RBI, PCI-DSS, and ISO 27001 standards.
  • Learn more: razorpay.com/security

6. Access Control & Authentication

Authentication and user management in Cruxtro are powered by Clerk — a secure, compliant identity platform designed for modern web apps.

Clerk provides:

  • Secure Login & Sign-Up: Email, password, OAuth, and SSO login methods with encrypted token handling.
  • Multi-Factor Authentication (MFA): Optional 2FA to add an extra layer of protection.
  • Session Management: Short-lived, signed tokens for secure session handling.
  • Account Recovery & Device Management: Built-in user account and session revocation features.
  • Privacy-first architecture: User credentials and identity data never touch Cruxtro’s servers directly — authentication is verified via Clerk’s secure API.

Cruxtro complements Clerk with:

  • Role-Based Access Control (RBAC) within workspaces.
  • Scoped API keys for integration with external systems.
  • Strict session and permission validation before data access.

All cookies and tokens are HttpOnly, Secure, and SameSite protected.

7. Monitoring, Logging & Incident Response

Cruxtro continuously monitors for performance and security anomalies using Google Cloud Monitoring & Logging.

  • Real-time alerts for unauthorized access or elevated permissions.
  • Centralized log management and audit trails for all production systems.
  • Automated alerts for failed logins, injection attempts, and data access anomalies.
  • Documented Incident Response Plan (IRP) to handle and communicate any breach or anomaly within defined SLAs.

8. Compliance & Data Protection

Cruxtro’s infrastructure and policies are aligned with global compliance standards:

  • GDPR (EU)
  • CCPA (California)
  • ISO/IEC 27001 principles
  • PCI DSS (via Razorpay)

We provide self-service data export and deletion options in compliance with user data rights and regulatory obligations.

9. Responsible Disclosure

We welcome security researchers and ethical hackers to help us identify vulnerabilities.

If you believe you’ve found a security issue, please contact us responsibly at security@cruxtro.com.

We respond promptly to all verified reports and will acknowledge your contribution.

10. Our Commitment

Your data powers your product decisions — and protecting it powers ours.

Cruxtro is built to enable AI-native product teams to work intelligently without sacrificing security, privacy, or compliance.

We build with trust by design — intelligence by intent.

Contact Us

For security or compliance questions:

Email: support@cruxtro.com

Website: www.cruxtro.com