How CRWLR Handles Your Data

Transparency about what we collect, how we process it, and how you stay in control.

What we collect

When you run a scan, you upload a firewall configuration backup file. Optionally you can also upload traffic log data for deeper analysis. We also store basic account information (email, plan, billing) needed to operate the service.

We do not collect browser telemetry, install tracking pixels, or share data with third-party analytics providers.

How data is processed

  • Config files are parsed in-memory on our servers during the scan.
  • The analysis engine extracts security findings, scores, and remediation steps.
  • Raw config files are deleted immediately after the scan completes or fails. They are never retained beyond the processing window.
  • Encrypted config passwords (for protected backups) are held in-memory only during parsing and are never stored in any database or log.
  • Normalized (parsed) configs are only stored if you explicitly enable config retention in your account settings. When stored, they contain parsed policy structures, zone names, and object definitions.

Storage and encryption

  • All data at rest is encrypted using AES-256 via our database provider (Supabase).
  • All data in transit is encrypted via TLS 1.2 or higher.
  • Config file uploads use isolated storage paths scoped to your account.
  • Database backups are encrypted and access-controlled.

Tenant isolation

CRWLR is a multi-tenant platform. Every database query is scoped to your account ID using row-level security (RLS) policies enforced at the database layer. There is no mechanism for one customer to access another customer's firewalls, scans, or findings.

API requests are authenticated via JWT tokens tied to your account. Server-side routes enforce tenant boundaries on every operation.

Your controls

You can configure how your data is handled from Account → Data Handling:

  • Raw config disposal — raw firewall config files are never stored. Files are parsed in memory and immediately discarded. This is an architecture decision, not a setting.
  • IP obfuscation — replace all IP addresses, subnets, and hostnames with anonymous placeholders before findings are stored. When enabled, no real network addresses appear in the database.
  • PDF export with redaction — export scan reports with IP obfuscation applied, suitable for sharing with third parties.

Data retention

Scan results and findings are retained according to your account retention period (default: 365 days). You can request full account data deletion at any time by contacting us.

When a firewall is deleted with the "delete scan history" option, all associated scans, findings, and configs are permanently removed.

Compliance

GDPR

IP addresses are considered personal data under GDPR. CRWLR supports data minimization (raw configs never stored — parsed in memory only), purpose limitation (data used exclusively for firewall auditing), right to erasure (full account deletion on request), and data portability (PDF export). The IP obfuscation feature ensures addresses never enter the database when enabled.

SOC 2

CRWLR follows SOC 2 Trust Services Criteria principles: encryption at rest and in transit, tenant isolation, role-based access controls, and audit logging. Formal SOC 2 Type II certification is on our roadmap.

Encryption Standards

AES-256 encryption at rest. TLS 1.2+ in transit. No custom or proprietary cryptographic implementations.

PCI DSS

Firewall configs from PCI-scoped environments are processed in-memory and deleted after scanning. They are never returned via API endpoints or exposed in logs.

NIS2

CRWLR is designed for organizations operating critical infrastructure. Our data handling controls and tenant isolation model align with NIS2 requirements for supply chain security tools.

Sub-processors

  • Supabase — database and file storage. Hosts all account data, scan results, and temporary config uploads.
  • Stripe — billing and subscription management only. No firewall or scan data is shared with Stripe.
  • NVD / Vendor Feeds — we query public vulnerability databases (NIST NVD, CISA KEV, vendor PSIRTs) to enrich scan results with CVE data. These are outbound lookups only. No customer data is sent to these services.

Account deletion

You can request complete account deletion at any time. This permanently removes all account data including firewalls, scans, findings, configs, alerts, and billing records. Contact us to initiate the process.

Data protection inquiries

For questions about data handling, GDPR requests, or to request a Data Processing Agreement (DPA), contact us at security@crwlr.io.

Configure Data Handling Settings
CRWLR — Firewall Audit in 60 Seconds