Your relationships are sacred. So is your data.

Encrypted in transit

All connections use TLS encryption. We enforce HTTPS-only connections so your browser never falls back to an unencrypted channel.

Encrypted at rest

Your data is stored on Neon PostgreSQL, which encrypts all data at rest. Neon maintains SOC 2 Type II compliance. See trust.neon.com for details.

Hosted on Vercel

Our application runs on Vercel's edge network with built-in DDoS protection. Vercel maintains SOC 2 Type II compliance. See security.vercel.com for details.

Security headers

We set strict Content Security Policy, X-Frame-Options, and other headers to protect against clickjacking, XSS, and content injection.

Organization-level separation

Every database query is filtered by your organization. Your data is never accessible to other accounts. We regularly audit all server actions, API routes, and pages to verify isolation.

Role-based access

Organization owners control who has access. Team members can only see data within their own organization.

Session security

Sessions expire automatically and are invalidated on logout.

Rate limiting

Sensitive endpoints are rate-limited to prevent brute-force attacks.

Your data never trains AI models

We use Anthropic's Claude for AI features. Anthropic does not use API inputs to train their models. Your notes and context are processed, not learned from.

You control what AI sees

AI suggestions are generated from the notes and context you've entered. You decide what to capture, and AI only works with what you've provided.

AI suggests, never acts

AI proposes touch suggestions with reasoning you can review. It never sends messages, creates records, or takes action on your behalf.

Transparent reasoning

Every AI suggestion includes an explanation of why it was made, so you can evaluate the recommendation before acting on it.

Password security

Passwords are securely hashed before storage using industry-standard algorithms. We never store or log plaintext passwords.

Bot protection

Login and signup are protected by Cloudflare Turnstile to prevent automated attacks.

No third-party tracking cookies

We use a single, essential session cookie for authentication. No advertising or third-party tracking cookies.

API key security

API keys are securely hashed before storage and can be revoked at any time from Settings.

Stripe handles payments

All payment processing goes through Stripe, which is PCI DSS Level 1 certified. We never see or store your full card number.

Sensitive fields are vaulted

Card data is tokenized through Very Good Security (VGS) before reaching our systems.

What the extension accesses

The Chrome extension reads publicly visible information from LinkedIn profile pages you visit — name, headline, company, location, photo, and about section. It only reads data when you click "Add to Authentic."

Data stays in your CRM

Profile information is sent directly to your Authentic CRM account over an encrypted connection. It is not shared with any other service or third party.

No background data collection

The extension does not monitor your browsing activity, collect data from other websites, or run in the background. It only activates on LinkedIn profile pages.

Local storage

The extension stores only your API key locally in Chrome's sync storage to authenticate with your CRM account. You can revoke the key at any time from Settings.

Your data is yours

You own the data you put into Authentic CRM. We do not sell your data to third parties, and we never will.

Data export

Organization owners can export all data at any time from Settings. The export is a JSON file containing your people, companies, touches, tasks, milestones, opportunities, knowledge items, and more.

Account deletion

Organization owners can delete their organization and all associated data at any time from Settings. Deletion is immediate and permanent.

GDPR

We respect your data protection rights including access, correction, deletion, and objection. Contact us to exercise any of these rights.