Security

Effective May 17, 2026

CrazySound takes the security of customer data seriously. This page describes the technical and organizational measures we use to protect the Service, our subprocessor stack, and our coordinated vulnerability disclosure program.

1. Infrastructure

  • Edge and hosting. The application runs on a tier-1 global edge platform with DDoS mitigation, TLS termination, and bot management at the network edge. Production workloads are isolated per environment and per region.
  • Database.Managed relational database hosted in the United States. Customer isolation is enforced at the application layer via row-level predicates keyed on the authenticated user's identity ID, and at the database layer via roles with the minimum privileges each route needs.
  • Storage. Generated audio and watermark assets are stored in S3-compatible object storage under per-feature key prefixes. Access uses scoped credentials with object-level ACLs.
  • AI inference.Routed to leading commercial AI inference providers under enterprise data-processing agreements. We send only the content needed to fulfill each request, and our agreements prohibit those providers from training their models on our customers' content.

2. Encryption

  • In transit. TLS 1.2+ on all public endpoints (TLS 1.3 preferred). HSTS enabled with a 6-month max-age and subdomain inclusion.
  • At rest. Database storage and object storage encrypted with AES-256 managed by our infrastructure subprocessors. Application secrets stored in sealed, environment-scoped configuration; never committed to source control.
  • Backups. Daily encrypted Postgres backups with a rolling 30-day retention. Restore tested quarterly.

3. Authentication and access

  • End-user authentication. Managed by a third-party identity provider with SOC 2 Type II attestation. Supports password + MFA, magic link, and SSO via major OIDC providers. We never see customer passwords.
  • Employee authentication. Required to enroll hardware-backed MFA (WebAuthn) for access to production systems. SSO with mandatory password rotation.
  • Least privilege. Production access is granted per role, audited quarterly, and revoked within one business day of role change or departure.
  • Logging. Authentication events, privileged actions, and configuration changes are logged centrally for at least 90 days.

4. Application security

  • Dependency scanning. Automated scans of npm dependencies on every pull request via Dependabot. Critical and high severity vulnerabilities are patched within 7 days.
  • Static analysis. TypeScript strict mode, ESLint, and a per-route Vitest gate run on every push.
  • Code review. All production changes require pull request review. Direct commits to the main branch are blocked.
  • Secret management. Application secrets are stored in encrypted, environment-scoped configuration with per-role access controls. Never in the repository.
  • Input validation. Server routes validate request bodies with Zod schemas before any processing. AI prompts and generated content are treated as untrusted data and never executed or interpreted as code.

5. Data protection

  • We do not train AI models on Customer Content.
  • AI inference subprocessors are contractually prohibited from training their models on Customer Content under their enterprise data-processing terms.
  • Customer Content is logically isolated by tenant ID at every layer (application predicates, database row ownership, storage key prefix).
  • Customer-deleted projects are purged from primary storage within 30 days and from backups within 90 days.

6. Subprocessor security

Before engaging a subprocessor we review their security posture and published attestations. Between them, our production subprocessors hold the following attestations (verified at the time of engagement):

  • SOC 2 Type II
  • ISO 27001
  • PCI DSS Level 1
  • FedRAMP Moderate
  • HIPAA-eligible processing on supported services
  • ISO 27017 (cloud-specific controls) and ISO 27018 (cloud PII)

Categorical subprocessor disclosure is maintained in our Privacy Policy, Section 5. A current, named subprocessor list with each provider's jurisdiction, purpose, and attestation set is supplied to Customers under our Data Processing Addendum, or on written request to legal@crazysound.ai under a mutual non-disclosure agreement. Customers on a paid plan can subscribe to advance notice of subprocessor changes per Section 6 of our DPA.

7. Incident response

  • We maintain a written incident response plan covering detection, containment, eradication, recovery, and communication.
  • Confirmed security incidents are triaged within 1 hour of detection during business hours and within 4 hours outside business hours.
  • Customers will be notified of incidents affecting their data without undue delay and, where the GDPR applies, within 72 hours per Section 8 of our DPA.
  • Post-incident reviews are conducted for every confirmed incident and action items are tracked to closure.

8. Business continuity

  • Service availability target. 99.5% monthly, measured at the public origin endpoint.
  • Multi-region. The application runs across a tier-1 global edge network. Database failover is handled by our managed-database provider.
  • Backup restore drills. Conducted quarterly.

9. Compliance roadmap

CrazySound is a venture-backed startup and we are scaling our formal compliance program in parallel with the product. Currently:

  • GDPR / UK GDPR / Swiss FADP processor terms in production.
  • CCPA / CPRA compliance posture in production.
  • SOC 2 Type I targeted for completion in 2026.
  • HIPAA Business Associate Agreement available on request for healthcare customers.

If your procurement process requires a specific framework not yet listed, email security@crazysound.ai and we will discuss your timeline and ours.

10. Reporting a vulnerability

If you believe you have found a security vulnerability in CrazySound.ai, please report it to security@crazysound.ai. Please:

  • Provide a clear description of the issue and steps to reproduce.
  • Give us a reasonable opportunity (at least 90 days) to investigate and remediate before public disclosure.
  • Do not access, modify, or destroy data that is not yours.
  • Do not perform denial-of-service attacks, social engineering, or physical attacks against our facilities or staff.

We do not currently offer a bug bounty but we are happy to acknowledge researchers who report verified issues. We will not pursue legal action against good-faith researchers who follow the guidelines above.

11. Contact

Security and vulnerability reports: security@crazysound.ai. General legal: legal@crazysound.ai.