WE SECURE LOUDLY. VERIFY EVERYTHING.

• SOC 2 Type II (audited annually)
• ISO 27001
• GDPR-compliant (EU workspace available)
• HIPAA-ready (under BAA for healthcare customers)
• PCI-DSS scoped for billing endpoints only

AES-256 at rest. TLS 1.3 in transit. Keys rotated quarterly and managed with hardware-backed key management.

Backups are encrypted with separate keys and stored in a region-isolated vault with access restricted to the on-call security team.

SSO required for Enterprise. SCIM provisioning available.

Internally, we enforce least-privilege access with quarterly reviews. Production access requires hardware key, MFA, and a peer-approved JIT request.

PII is identified and redacted before entering our reasoning layer. You control the scrubber. Detected fields include names, phone numbers, card numbers, government IDs, and health identifiers. Redaction is non-reversible by default.

If we detect an incident, you hear about it in under 4 hours — not 4 weeks. We run quarterly tabletop exercises and annual external penetration tests.

Post-incident, you get a written postmortem with timeline, root cause, affected data, and remediation. No mystery boxes.

US, EU, and APAC workspaces available. Data never leaves its configured region, including backups and replicas.

We run a responsible-disclosure program. Find a real vulnerability, tell us, get paid — up to $20,000 for critical issues.

Email security@crazycorky.com with details. PGP key on request.

We vet third-party vendors annually. Subprocessor list is public and kept current at crazycorky.com/subprocessors. Material changes get 30 days' notice.

Want to audit us? Enterprise customers can request our SOC 2 report, pen-test summaries, and architecture diagrams under NDA. Email security@crazycorky.com.