Crowdee
Compliance

Infrastructure & Security

Hosting, data residency, encryption, and NIS2 security posture.

Crowdee's infrastructure is designed for security, availability, and regulatory compliance. All production systems are hosted in Germany under German and EU law. The architecture avoids dependencies on third-party cloud providers or content delivery networks that would route customer content outside the EU, and is hardened with encryption, short-lived credentials, and role-based access controls at every layer.

Data Residency

All Crowdee production services run on dedicated infrastructure in netcup GmbH data centres in Nuremberg and Karlsruhe, Germany. No customer content is routed through third-party CDNs. No cross-border data transfers occur at any point in the processing lifecycle — file upload, enrichment, AI analysis, crowd task distribution, and result storage all occur within the same Germany-hosted environment.

The AI model used for pipeline execution is hosted locally on Crowdee-operated servers within the same data centre environment. Content submitted for verification is never sent to external AI APIs or cloud-hosted language model providers.

For a full list of sub-processors — third-party organisations that handle data on Crowdee's behalf in a limited capacity — see crowdee.ai/subprocessors. The sub-processor list is maintained and updated when changes occur. Customers on the Enterprise plan receive advance notice of sub-processor changes via email.

Encryption

Data at rest is encrypted using AES-256. Persistent storage — including the PostgreSQL database, file storage (Ceph S3-compatible object storage), and backup archives — uses encrypted volumes and server-side encryption respectively. Encryption keys are managed by Crowdee using hardware security module-backed key management.

Data in transit is encrypted with TLS. TLS 1.3 is the preferred protocol; TLS 1.2 is supported for compatibility. TLS 1.0 and 1.1 are disabled. Internal service-to-service communication within Crowdee's infrastructure also uses TLS; internal traffic does not traverse the public internet.

File uploads and API responses are transmitted exclusively over HTTPS. There is no HTTP fallback. API requests over plain HTTP receive a redirect to the HTTPS endpoint.

Authentication and Access Control

Crowdee uses OIDC-based user authentication via a self-hosted identity provider. External identity providers can be federated for enterprise SSO deployments. Sessions are managed via JWT tokens with a 60-minute lifetime; token refresh requires re-authentication via the OIDC flow.

API access uses scoped API keys. Keys are prefixed crw_ and are stored as SHA-256 hashes — Crowdee never stores the plaintext key after it is displayed once at creation. Each API key is bound to an organisation and carries one of four role levels: viewer, user, admin, or superadmin. Keys can be scoped to specific organisations in multi-organisation setups, preventing lateral movement across organisational boundaries.

Role-based access control is enforced by a Casbin RBAC policy engine on every API request. Permissions are evaluated per-route and per-resource, not just at the role level. This means a key with user role on Organisation A has no access to any resource belonging to Organisation B, even on the same Crowdee instance.

API keys are rotatable via the Platform dashboard under Settings → API Keys and via the API:

DELETE https://api.crowdee.ai/v2/users/me/api-keys/{keyId}
X-API-Key: crw_YOUR_API_KEY

Rate limiting is enforced at the API layer: 3,000 requests per 15-minute window for authenticated requests, 150 requests per 15-minute window for anonymous requests. Limits are tracked in Valkey (the Redis-compatible cache) and are applied per API key.

NIS2 Compliance

Crowdee operates incident response and vulnerability management processes consistent with the requirements of the NIS2 Directive (Directive 2022/2555). These processes include:

  • Vulnerability management: Security patches are applied within 72 hours for critical (CVSS 9.0+) vulnerabilities in Crowdee's own codebase and within standard maintenance windows for high-severity vulnerabilities in dependencies. Crowdee subscribes to security advisory feeds for all production dependencies.
  • Incident response: Crowdee maintains a documented incident response plan covering detection, containment, eradication, recovery, and post-incident review. Significant security incidents affecting customer data will be notified to affected customers within 72 hours of detection in line with GDPR Article 33 and applicable NIS2 notification obligations.
  • Responsible disclosure: Security vulnerabilities in Crowdee's products can be reported to security@crowdee.com. Crowdee commits to acknowledging reports within 5 business days and to coordinating remediation before public disclosure.

Availability

Service level agreements are available on Managed and Enterprise plans. SLA terms — including uptime commitments, measurement methodology, and credit schedules — are set out in the individual customer agreement. Contact sales@crowdee.ai for SLA terms.

For current system status — including incidents, scheduled maintenance windows, and historical uptime data — visit status.crowdee.ai. Subscription to status notifications is available from the status page.

Security Reviews

Crowdee supports enterprise security reviews including security questionnaire completion, control documentation, and penetration test coordination.

To initiate a security review, contact security@crowdee.com with the scope and timeline of your review. Standard security questionnaire responses (CAIQ, SIG Lite, or equivalent) are available under NDA for enterprise customers and can typically be provided within five business days.

Crowdee welcomes responsible security research. If you discover a vulnerability in Crowdee's platform or infrastructure, please contact security@crowdee.com and allow time for coordinated disclosure before publishing any findings. Crowdee does not pursue legal action against researchers who report vulnerabilities in good faith through the coordinated disclosure process.

How is this guide?

© 2026 Crowdee GmbH. All rights reserved.

On this page