The companies building the future of AI shouldn’t have to choose between moving fast and meeting their obligations. Crawlzo is engineered to drop into regulated environments on day one. Here is our compliance and security posture: what we do, how we prove it, and who to talk to when your security and legal teams need answers.
Our compliance posture
Crawlzo is built to drop into regulated environments without a six-month review cycle. Compliance is not a feature we bolted on; it is a design constraint we started with. This page summarizes our security and compliance posture so your security, legal, and procurement teams can evaluate us quickly, and tells you how to get the underlying evidence.
Posture at a glance
| Area | Posture |
|---|---|
| GDPR / UK GDPR | Ready. DPA with SCCs and UK Addendum available |
| CCPA / CPRA | Compliant. Service-provider terms, no sale of data |
| Encryption in transit | TLS 1.3 |
| Encryption at rest | AES-256 |
| Data retention | Zero-retention default; configurable per engagement |
| Data residency | EU & US options |
| Uptime target | 99.9% standard; higher on enterprise SLAs |
GDPR & UK GDPR
For customers subject to the EU or UK GDPR, Crawlzo acts as a processor and offers a comprehensive Data Processing Addendum incorporating the Standard Contractual Clauses and the UK International Data Transfer Addendum. Our practices reflect the GDPR’s core principles: lawfulness, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability.
We support your obligations with documented security measures, subprocessor governance, breach-notification commitments, and assistance with data-subject requests and impact assessments. Our Data Protection Officer is reachable at support@crawlzo.com.
CCPA & US state privacy laws
For customers subject to the California Consumer Privacy Act (as amended by the CPRA) and similar U.S. state laws, Crawlzo acts as a service provider: we do not sell or share personal information, we process it only to provide the Services, and we contractually commit to the restrictions those laws require. Equivalent terms are available for other state privacy laws as they come into force.
Security program
Our security program is grounded in widely recognized frameworks and applies controls proportionate to the risk:
- Encryption. TLS 1.3 in transit and AES-256 at rest, with managed key handling.
- Access control. Least-privilege, role-based access, enforced MFA for administrative access, and regular access reviews.
- Network & infrastructure. Segmentation, hardened configurations, and restricted ingress/egress.
- Monitoring. Centralized logging, alerting, and anomaly detection across the platform.
- Secure development. Code review, dependency scanning, and change management.
- Vulnerability management. Timely patching and periodic testing, including third-party assessment.
- People. Confidentiality obligations, security training, and background checks where lawful.
Data handling & retention
Our default is zero retention of the Output delivered through the Services beyond the period needed to deliver it. Retention windows, deletion behavior, and residency are configurable per engagement. We minimize the personal data we handle, and where extraction touches personal data, we support redaction at the extraction layer so you only receive what you actually need.
For customers with regional requirements, we offer EU and US data residency, pinning processing and storage to a chosen region. International transfers are governed by the safeguards described in our DPA and Privacy Policy.
Subprocessor governance
We carefully vet every subprocessor, bind each by contract to data-protection obligations no less protective than our own, and remain responsible for their performance. We maintain a current subprocessor list and provide advance notice of changes so you can object on legitimate grounds. The list is published in our DPA; subscribe to change notifications via support@crawlzo.com.
Availability & resilience
We target 99.9% monthly uptime for the core API on standard engagements, with higher commitments available under enterprise SLAs. The platform is designed for resilience with redundancy, monitoring, and tested recovery procedures. Where your Order Form includes an SLA, it defines the specific commitments, exclusions, and service-credit remedies.
Incident response & breach notification
We maintain a documented incident-response process covering detection, triage, containment, eradication, recovery, and post-incident review. If a personal-data breach affects data we process on your behalf, we will notify you without undue delay and within the timeframes required by law, and cooperate with you on remediation and any required regulatory or individual notifications.
Vulnerability disclosure
We welcome good-faith security research. If you discover a vulnerability, report it to support@crawlzo.com with enough detail to reproduce it. We will acknowledge your report, work to remediate promptly, and will not pursue legal action against researchers who act in good faith, avoid privacy violations and service disruption, and give us reasonable time to fix the issue before public disclosure.
Audits, certifications & evidence
We are committed to demonstrable compliance. We make available the information reasonably necessary for you to assess us, including security documentation and, where available, third-party assessment reports. As our program matures, formal certifications and attestations are part of our roadmap. To request current evidence under NDA, contact support@crawlzo.com.
Talk to us about compliance
Whether you need a signed DPA, a completed security questionnaire, a residency commitment, or a conversation with an engineer about how the platform handles your data, we’re ready. Reach us at support@crawlzo.com or start a conversation through our contact page.