Security

Qcrawl is built for production use by teams that take security seriously. We treat customer data, API keys, and request logs as sensitive and apply standard industry controls to protect them.

Encryption

All traffic between your client and the API is encrypted in transit over TLS 1.3. Data at rest is encrypted using AES-256 on the underlying storage layer.

Authentication

API keys are 192-bit random tokens hashed with SHA-256 for storage — the raw key is never persisted on our side. Account passwords are hashed using argon2id with per-credential random salts.

Webhook signatures

Every webhook we deliver includes an HMAC signature header so your server can verify the request came from Qcrawl. Stripe-style webhook verification helpers ship in our SDKs.

Compliance

SOC2 Type II is on the roadmap; documentation is available under NDA on request. GDPR and CCPA: we minimize the personal data we collect and offer customer data export and deletion on request.

Responsible disclosure

We welcome security reports. Please email [email protected] with details. We acknowledge reports within one business day and aim to resolve confirmed issues within 30 days.

The full vulnerability disclosure policy covers what is in scope, our safe-harbour commitment, and the response timeline you can expect. The canonical machine-readable contact record is security.txt.

Subprocessors

Qcrawl uses a short list of vetted third parties to deliver the platform. The complete list, with the data each one handles and the legal transfer basis, is on the subprocessor page. Customers with executed DPAs are notified 30 days before any new subprocessor begins processing their data.

How the platform is built

The subsystems, design principles, and operational guarantees behind every Qcrawl endpoint are described on the architecture page.

Status page

Live operational status is published at status.qcrawl.com.