← Back to Trust Center

Security FAQ

Common questions about our security practices (50+ Q&A)

Data Storage & Location

Where is my data stored?

Customer data is stored in GCP us-central1 (Iowa) by default. Enterprise customers can specify alternative regions including eu-west1 (Belgium), ap-southeast1 (Singapore), and ap-northeast1 (Tokyo).

Can I choose my data residency region?

Yes, enterprise customers can select their preferred region during onboarding. Contact sales@blazecrawl.dev to configure.

What happens to data when I delete my account?

Upon account deletion, all data is permanently removed within 30 days. You receive a deletion certificate confirming the process.

How long is data retained?

Default retention is 90 days for scraped content. Audit logs are retained for 7 years. Enterprise customers can customize retention policies.

Is my data backed up?

Yes, we perform daily backups with 35-day point-in-time recovery capability. Backups are stored in a separate isolated project.

Encryption

Is my data encrypted in transit?

All data in transit is encrypted using TLS 1.3. We also support TLS 1.2 for backward compatibility.

Is my data encrypted at rest?

Yes, all data at rest is encrypted using AES-256. Database encryption uses Cloud SQL CMEK (Customer-Managed Encryption Keys).

Who manages encryption keys?

Keys are managed via GCP KMS. Enterprise customers can bring their own keys (BYOK) using Cloud HSM.

How often are encryption keys rotated?

Encryption keys are rotated every 90 days automatically. We also support manual rotation on demand.

Do you encrypt backup data?

Yes, all backups are encrypted with the same AES-256 standard as production data.

Access Control

Who has access to my data?

Access is restricted to authorized personnel with documented need-to-know. All access is logged and audited. No standing access to customer data.

How do you authenticate employees?

All employees require SSO via Google Workspace or Okta, plus MFA (hardware keys or authenticator apps).

Can I audit who accessed my account?

Yes, the audit log API (/v1/audit-log) provides detailed logs of all API access and administrative actions.

Do you conduct access reviews?

Yes, we conduct quarterly access reviews to ensure appropriate access levels are maintained.

What RBAC options are available?

We support workspace-level RBAC with roles: Admin, Editor, Viewer. Custom roles available for enterprise.

Compliance

Are you GDPR compliant?

Yes, we are GDPR compliant with a signed DPA available. We notify customers within 72 hours of any breach affecting their data.

Do you have a DPA?

Yes, our DPA is available at /dpa. For enterprise accounts, we provide custom DPAs with specific terms.

Are you CCPA compliant?

Yes, we comply with CCPA requirements including the right to delete, know, and opt-out of sale.

What certifications do you have?

SOC 2 Type I in progress (May 2026), SOC 2 Type II observation window started, GDPR/CCPA compliant. See /certifications for details.

Can I get a penetration test report?

Annual pen test summaries are available on request under NDA. Full reports are available for enterprise customers.

Do you support HIPAA?

HIPAA BAA is on our roadmap for Q3 2026. Contact sales@blazecrawl.dev to be notified when available.

What sub-processors do you use?

Our current sub-processors are listed at /subprocessors. We notify customers 30 days in advance of any changes.

Security Incidents

What happens if there is a data breach?

We notify affected customers within 72 hours per GDPR requirements. Incident response includes containment, investigation, remediation, and post-mortem.

Do you have an incident response plan?

Yes, we maintain a documented IRP with clear escalation procedures. We conduct quarterly incident response drills.

How do you handle vulnerabilities?

We run a vulnerability disclosure program via HackerOne. Critical vulnerabilities are addressed within 24 hours.

Can I report a security issue?

Yes, please report via our vulnerability disclosure program at /vulnerability-disclosure or email security@blazecrawl.dev.

What is your SLA for security incidents?

Critical (SEV1) incidents: 15-minute response, 4-hour resolution target. High (SEV2): 1-hour response, 24-hour resolution.

Data Processing

What data do you process?

We process: contact information, usage data, authentication credentials, and content you explicitly scrape using our service.

Do you use my data to train AI models?

No. Customer data is never used to train AI models. Data is isolated per-workspace and deleted according to retention policies.

Can I export my data?

Yes, use the API or dashboard to export all your data. We provide JSON, CSV, and NDJSON formats.

How do you handle sensitive data detection?

We automatically detect and redact PII (personally identifiable information) in scraped content when requested.

Do you scan for malware in scraped content?

Yes, all scraped content is scanned for malware before storage. Suspicious content is quarantined.

Network & Infrastructure

What cloud provider do you use?

We use Google Cloud Platform (GCP) for all infrastructure.

Is there network segmentation?

Yes, we use VPC service controls and private networking. Production databases are not internet-accessible.

Do you use DDoS protection?

Yes, we use Cloud Armor for DDoS protection and WAF capabilities.

How do you secure APIs?

All APIs require authentication (API key or OAuth). We implement rate limiting, input validation, and output encoding.

Is there a WAF?

Yes, we use Cloud Armor WAF with OWASP Top 10 protection rules.

Monitoring & Logging

Do you monitor for threats?

Yes, we use SIEM integration, intrusion detection, and continuous security monitoring. Alerts trigger within 5 minutes.

How long are logs retained?

Security logs are retained for 1 year. Audit logs are retained for 7 years per compliance requirements.

Can I integrate with my SIEM?

Yes, our audit log API supports SIEM webhook integration for real-time event streaming to Splunk, Datadog, or Elastic.

What metrics do you track?

We track: API latency (p50, p95, p99), error rates, authentication failures, and anomalous access patterns.

Third-Party Security

Are your dependencies secure?

We use automated dependency scanning (Snyk) and update dependencies monthly. Critical CVEs are addressed within 24 hours.

Do you have vendor risk management?

Yes, all critical vendors undergo security assessment before onboarding and annual review.

What payment processors do you use?

We use Stripe for payments. Stripe is PCI DSS Level 1 certified.

Employee Security

Do employees receive security training?

Yes, all employees complete annual security awareness training and sign acceptable use policies.

Can employees access customer data?

Only authorized personnel with documented need-to-know can access customer data, and all access is logged.

Do you background check employees?

Yes, all employees undergo background checks as part of our hiring process.

Have more questions?

Contact our security team at security@blazecrawl.dev