Security at CRHQ

CRHQ is built on a simple principle: your data belongs to you, and it stays on your server. Every client gets a fully dedicated, isolated environment — not a shared database, not a multi-tenant cluster. A dedicated server that is exclusively yours.

This page outlines the technical measures we take to keep that environment secure.

1. Dedicated & Isolated Infrastructure

Each CRHQ satellite is a fully dedicated virtual private server. There is no shared compute, no shared database, and no shared storage between clients.

• Your server runs its own operating system, application instance, and database.
• Your PostgreSQL database is bound exclusively to localhost — it is not accessible from the network.
• The application and AI agents run under separate system users with scoped permissions, providing process-level isolation.
• Each satellite operates independently — no satellite can access another satellite's data, processes, or network.

2. Server Hardening

Every server is provisioned with a comprehensive security hardening profile, applied automatically during setup and maintained throughout the server's lifetime.

Network Security

• Firewall (UFW) — only ports 22 (SSH), 80 (HTTP), and 443 (HTTPS) are open. All other ports are blocked by default.
• Fail2ban — intrusion detection that automatically bans IP addresses after repeated failed SSH login attempts.
• Kernel hardening — IP redirect sending is disabled and martian packet logging is enabled to detect network anomalies.

SSH Access

• Password authentication is disabled — key-based authentication only.
• X11 forwarding is disabled.
• Access is restricted to authorized fleet management keys.

Web Server

• Server version information is hidden.
• HSTS — Strict Transport Security enforced with a one-year max-age, including subdomains.
• X-Frame-Options — prevents clickjacking attacks (SAMEORIGIN).
• X-Content-Type-Options — prevents MIME-type sniffing (nosniff).
• Referrer-Policy — strict-origin-when-cross-origin.
• Permissions-Policy — camera, geolocation, and payment APIs are disabled.

Automatic Patching

Unattended security upgrades are enabled on every server, ensuring that critical OS-level security patches are applied automatically without manual intervention.

3. Encryption

• In transit — all traffic is encrypted with TLS. Only TLSv1.2 and TLSv1.3 are supported. Weak cipher suites (null ciphers, MD5) are explicitly disabled.
• Infrastructure — all servers run on encrypted storage provided by the infrastructure vendor. Data on disk is encrypted at the hardware level.
• Application layer — sensitive credentials (OAuth tokens, API keys, passwords) are encrypted before being stored in the database using AES-256-GCM authenticated encryption with per-satellite keys.
• SSL certificates — every satellite is provisioned with a wildcard SSL certificate, automatically managed and renewed.

4. Data Privacy

We do not access, use, or retain your data. Our role is to provision and maintain the server infrastructure and provide the application layer. Your data lives on your server and your server alone.

• We do not train any AI models — internal or external — on your data.
• We do not read, analyze, or aggregate your agent conversations, outputs, or files.
• We access your server only when necessary for maintenance or at your explicit request for support.
• AI model API calls go directly from your server to the provider (Anthropic, OpenAI, etc.). We do not intermediary, cache, or log this traffic.

5. Geographic Regions

You choose where your server is physically located. We currently offer the following provisioning regions:

• Europe — Germany, Finland
• US East — Ashburn, Virginia
• US West — Hillsboro, Oregon
• Asia Pacific — Singapore

For specific geographic or compliance requirements, we can accommodate custom hosting arrangements. Contact us to discuss your needs.

6. Backup & Disaster Recovery

We maintain multiple layers of backup to protect against data loss:

• Hosting provider backups — automatic server snapshots maintained by the infrastructure provider.
• Application-level backups — daily, weekly, and monthly database backups stored on a separate cloud storage provider, independent of the hosting infrastructure, providing geographic redundancy.

In the event of server failure, recovery involves provisioning a new server and restoring from the most recent backup. Application restarts are measured in minutes; full server rebuilds from backup are measured in hours.

7. Monitoring & Incident Response

Every satellite is continuously monitored through a fleet-wide health monitoring system that tracks:

• CPU and memory usage
• Disk utilization
• Application process health and uptime
• Satellite health endpoint availability
• SSH reachability

Critical alerts — high resource usage, application downtime, unreachable servers — trigger real-time notifications to our operations team and are addressed promptly.

Network access restrictions (IP allowlisting) are available on request for clients with specific compliance requirements.

In the event of a security breach, we commit to notifying affected clients within 72 hours of becoming aware of the incident.

8. Third-Party Services

CRHQ integrates with third-party AI model providers so your agents can perform tasks. The data handling for each provider is governed by their own terms of service and privacy policies:

• Anthropic — API data is not used for model training. See Anthropic's Privacy Policy.
• OpenAI — API data is not used for model training by default. See OpenAI's Privacy Policy.
• Google — See Google's Privacy Policy.

Our hosting infrastructure is provided by Hetzner Cloud, a German company operating under EU data protection regulations. Hetzner provides the underlying compute infrastructure but does not have access to application-level data.

Billing is handled by Stripe. We do not store credit card numbers directly.

9. Platform Updates

CRHQ is a managed platform. We release updates across the network to improve functionality, fix bugs, and patch security vulnerabilities. We take rigorous measures to ensure updates do not disrupt existing workflows, agents, or configurations.

Security-critical patches are applied promptly. Non-critical updates and feature releases are communicated via Slack and email.

10. Ownership & Portability

Everything you build on the platform is yours — agents, workflows, skills, scripts, configurations, automations, and data. You own it 100%.

If you choose to leave, all your data can be exported in industry-standard formats: PostgreSQL database dumps, Markdown files, and standard file transfer from the server filesystem. We provide a minimum 30-day export window after cancellation.

The CRHQ platform application itself (the satellite codebase) is proprietary and remains the intellectual property of Zero Point Studio d.o.o. You are licensed to use it for the duration of your subscription.