Security

CRHQ is designed with security at every layer — from server isolation to credential encryption.

Server Isolation

Each CRHQ instance runs on a dedicated VPS. There's no shared infrastructure between customers:

• Separate server — Your instance runs on its own machine
• Separate database — Your data is in its own PostgreSQL database
• Separate file system — Files are isolated to your server
• Separate network — Each server has its own IP and SSL certificate

Authentication

User Authentication

• Session-based — Secure session cookies with httpOnly flag
• Password hashing — bcrypt with salt
• Two-factor authentication — TOTP-based 2FA with backup codes
• Session expiration — Configurable session timeout

API Authentication

• API keys — For agent-to-service communication
• Hub keys — For CRHQ Hub sync operations
• Session tokens — For authenticated API requests

Credential Encryption

Stored credentials (API keys, tokens, passwords) are encrypted using:

• Algorithm — AES-256-GCM
• Per-value encryption — Each credential is encrypted independently
• Server-side only — Decryption only happens on the server, never in the browser
• Audit logging — Every credential access is logged

Agent Isolation

Agents run as an isolated agent user on the server:

• Separate Linux user with limited permissions
• Process isolation from the main application
• No access to system-level configurations
• File system access scoped to the working directory

Network Security

• SSL/TLS — All traffic encrypted with HTTPS
• Nginx reverse proxy — No direct access to application ports
• Security headers — HSTS, X-Frame-Options, X-Content-Type-Options
• Firewall — Only necessary ports exposed (80, 443, SSH)

Data Protection

• No data sharing — Your data stays on your server
• No training data — Conversations are not used to train models
• Backup system — Regular automated backups
• Version history — All content changes are versioned and recoverable