How we secure your data.

Krewvio is SOC 2 Type II certified and undergoes annual third-party penetration testing. All customer data is encrypted at rest with AES-256 and in transit with TLS 1.3. Production systems are isolated, access is logged, and incident response is rehearsed quarterly.

Our latest SOC 2 report and penetration test letter are available under NDA — email security@krewvio.com.

• 01Hosting — Amazon Web Services, us-east-1, multi-AZ for high availability.
• 02Network — production VPC is fully private. No public-facing databases. All ingress through a managed WAF.
• 03Compute — containerized workloads on managed Kubernetes. No long-running shell access to production hosts.
• 04Backups — automated, encrypted, retained for 30 days. Quarterly restore drills.
• 05Disaster recovery — RTO of 4 hours, RPO of 15 minutes for the production database.

Every byte of customer and homeowner data is encrypted at rest with AES-256, keys managed in AWS KMS with annual rotation. Traffic between every client and Krewvio is encrypted with TLS 1.3; legacy ciphers and SSL 3.0 are disabled.

Database backups are encrypted with a separate key. Disk volumes and S3 buckets are encrypted at the storage layer. Production secrets live in AWS Secrets Manager, never in source control.

• 01Every Krewvio employee has a hardware-key MFA token (Yubikey) required for production access.
• 02Production access is gated through a bastion host with full session recording.
• 03Access is granted on a least-privilege basis and reviewed quarterly.
• 04New hires complete security training before any production access is granted.
• 05Offboarding revokes all access within 4 hours of termination.

• 01Every code change is reviewed by a second engineer before merge.
• 02Automated dependency scanning blocks known-vulnerable libraries.
• 03Static analysis runs on every pull request — secret scanning, SAST, license compliance.
• 04Dynamic analysis runs nightly against staging.
• 05Annual third-party penetration testing; remediation priority tracked publicly inside the company.
• 06Coordinated disclosure: security@krewvio.com. 24-hour acknowledgement, 90-day remediation target.

The AI Agent sends conversation content to model providers (Anthropic and OpenAI) under zero-data-retention agreements. Providers do not store homeowner messages after a response is generated, and they do not use customer or homeowner data to train models.

Drafts are reviewable in your dashboard before they go live unless you explicitly enable auto-reply. The AI Agent never sends a homeowner message that contains another customer's data.

• 01On-call engineer paged within 5 minutes of any production alert.
• 02Security incidents triaged by the security lead within 30 minutes.
• 03Customer notification for confirmed data incidents within 72 hours, in plain language, with the scope and the fix.
• 04Quarterly tabletop drills covering ransomware, credential compromise, and subprocessor breach scenarios.
• 05Annual external red-team exercise.

A full list of current subprocessors and their roles is at krewvio.com/subprocessors. We give 30 days' written notice before adding a new one with access to customer data.

• 01SOC 2 Type II — annual audit, available under NDA.
• 02GDPR — Data Processing Addendum available for any EU-based customer (or any customer with EU-resident homeowners).
• 03CCPA — homeowner data-subject requests honored within 45 days.
• 04TCPA — every SMS sent through Krewvio respects consent, opt-out, and quiet-hours rules.

Email security@krewvio.com. Include reproduction steps and a PoC if you have one. We respond within 24 hours, fix critical issues inside 7 days, and credit reporters publicly with permission. Krewvio does not pursue legal action against good-faith researchers operating within the scope at krewvio.com/security/scope.