Crowdee processes content that newsrooms, broadcasters, and compliance teams cannot afford to leak. We treat security and data protection as primary product features — not afterthoughts — from where the servers live down to how individual API requests are signed.
security@crowdee.ai · Crowdee GmbH, Berlin · GDPR-aligned, no training on customer content
No managed cloud, no third-party serverless, no opaque hyperscaler abstractions in the request path. Visitors talk only to Crowdee-controlled origins in Germany.
Website, dashboards, databases, and our self-hosted Matomo analytics all run on dedicated servers at netcup GmbH in German data centres.
Our automation backend (used by the chat assistant and the Content Verification pipeline) runs on hardware Crowdee owns and operates in Berlin.
We do not use Vercel, third-party serverless platforms, or third-party managed CDNs to deliver dynamic content. Visitors connect only to Crowdee-controlled origins.
Encryption, signed tokens, origin enforcement, rate limits, and scoped credentials — layered, not bolted on.
All traffic to and from the Website and our APIs is served over HTTPS with modern cipher suites and HSTS.
Application databases that hold persistent customer data are encrypted at rest. Sensitive credentials (e.g. API keys) are stored as one-way hashes, never in clear text.
Verification results are bound to the originating browsing session with HMAC-signed, short-lived tokens (one-hour TTL) so that follow-up actions cannot be forged.
State-changing endpoints enforce origin and CSRF checks, rate-limit on multiple axes, and use ALTCHA proof-of-work to block automated abuse.
Each public API route applies in-memory per-IP and per-instance rate limits with body-size caps and upstream timeouts to contain misbehaving clients.
Programmatic access uses scoped API keys with effective roles capped at the minimum of the key role and the membership role, optionally pinned to specific organisations.
We use machine-learning models to do real work for you. We do not turn your content into training data — ours or anyone else's.
We do not use Customer Content or Outputs to train our foundation models, and we contractually require the third-party AI providers we engage not to use inputs or outputs to train theirs.
Uploaded image bytes are kept only for the duration of the inference call and are not persisted on disk. A hash-keyed result cache expires within 24 hours.
Third-party model providers we route to act as our processors under Art. 28 GDPR. They are bound to process inputs only on our instructions and to keep them no longer than technically necessary.
Least-privilege access, disciplined patching, retained audit logs, and processors held to the same standard.
Access to production systems uses role-based controls and the principle of least privilege, with audit logging on privileged operations.
Operating systems, runtimes, and dependencies are patched on a regular cadence. We track upstream advisories and apply security updates promptly.
Server log files are retained for a maximum of 30 days unless an incident requires longer retention. Rate-limit counters live in memory only and reset with the window.
Every processor we use is bound by a written agreement under Art. 28 GDPR that requires equivalent technical and organisational measures.
We welcome security researchers and members of the community who help us improve our security posture. Recognised disclosures may be acknowledged in our Hall of Fame.
Email security@crowdee.ai (preferred) or use our contact form. Include the affected system, endpoint, or page; the steps required to reproduce the issue; and the impact you see.
Where it helps us reproduce, attach screenshots, log excerpts, HTTP requests/responses, or proof-of-concept code. Avoid attaching real customer data.
Please do not publicly disclose the issue until we have had a reasonable opportunity to investigate and remediate, and please do not access data that is not yours, degrade the service, or pivot beyond what is needed to demonstrate the issue.
We acknowledge reports within 3 business days and provide a first triage assessment within 10 business days. Fix timelines depend on severity; we will keep you informed.
Safe harbour. Good-faith research that follows this policy — meaning you respect the in-scope and out-of-scope rules above, avoid degradation of the service, and do not access, modify, or retain data that does not belong to you — will not trigger legal action from Crowdee. If you are unsure whether an action is allowed, ask us first at security@crowdee.ai.
We do not publish these documents because they evolve with our sub-processor relationships. Ask and we will send the current version.
Art. 28 GDPR template plus relevant sub-processor list, ready to counter-sign before processing begins.
Request a copyWe respond to vendor security questionnaires (CAIQ-Lite, SIG-Lite, or your own template) on request.
Request a copyCurrent list of sub-processors used by the Platform, including hosting, anti-abuse, and AI model providers.
Request a copyFor the full processing notice and the supervisory authority responsible for Crowdee, see the Privacy Policy. For the commercial framework, see the Terms and Conditions.
Whether you are a researcher with a finding, a procurement lead with a questionnaire, or a customer with a sensitive question — write to security@crowdee.ai and a human will get back to you.
