Most SaaS products keep customer data separate with app-layer logic. If the app has a bug, the isolation breaks. Crewnyx enforces isolation at the PostgreSQL layer using Row-Level Security. A bug in our app can't leak data across companies — the database itself refuses.
Every row in every table has an org_id column. Every read and every write goes through a PostgreSQL Row-Level Security (RLS) policy that says: "You can only see rows where org_id matches the org_id in your session's JWT."
That JWT is signed by Supabase Auth. A user cannot forge it — the signature check happens on every query, in the database, before any row is returned.
-- What every table has CREATE TABLE time_entries ( id uuid PRIMARY KEY, org_id uuid NOT NULL REFERENCES orgs(id), user_id uuid NOT NULL REFERENCES users(id), jobsite_id uuid REFERENCES jobsites(id), started_at timestamptz NOT NULL, ended_at timestamptz, ... ); -- What every table gets ALTER TABLE time_entries ENABLE ROW LEVEL SECURITY; CREATE POLICY "isolate_by_org" ON time_entries FOR ALL USING (org_id = jwt_org_id()) WITH CHECK (org_id = jwt_org_id());
If Company A's admin runs SELECT * FROM time_entries, Postgres itself returns only Company A's rows. There is no code path — no API endpoint, no SQL injection, no admin tool — that returns Company B's rows to Company A's session. The isolation is not "hidden by the UI." It is enforced by the storage engine.
An automated test runs on every code push. It:
If a developer breaks isolation while adding a feature, the code never reaches production. It's not a "we should test that" — it's a hard gate.
Signup redirects to Stripe Checkout, a Stripe-hosted payment page. Card numbers, expiration dates, CVCs — none of that ever touches our servers. Not in memory, not in logs, not in the database, not in transit through our code.
What we receive from Stripe:
customer_id (like cus_QxyzABC...)subscription_idThis means we're PCI-DSS compliant by design — we don't need to be certified because we deliberately never handle regulated data. Stripe handles it, and they are certified at Level 1 (the highest).
All webhook events from Stripe are cryptographically signed. If someone tries to send us a fake "subscription paid" webhook, the signature check fails and it's rejected.
httpOnly, Secure, SameSite=Strict cookies — not localStorage. XSS attacks cannot steal them.Every tenant-affecting action writes to an audit_log table:
actor_id)org_id)action)timestamp)ip_address)diff)Super admins can view their company's full audit log at any time. This is your forensic trail if you ever need it.
If you find a security issue, please email security@crewnyx.com. We respond within 1 business day. We do not currently run a bug bounty, but we credit reporters in the changelog with permission.
Last updated: July 11, 2026 · Owned by Sparky Venture Labs LLC
If your company has specific compliance or security requirements, talk to us before you sign up. We're happy to walk through the specifics.