Data Storage & Location
Where is my data stored?▼
Customer data is stored in GCP us-central1 (Iowa) by default. Enterprise customers can specify alternative regions including eu-west1 (Belgium), ap-southeast1 (Singapore), and ap-northeast1 (Tokyo).
Can I choose my data residency region?▼
Yes, enterprise customers can select their preferred region during onboarding. Contact sales@blazecrawl.dev to configure.
What happens to data when I delete my account?▼
Upon account deletion, all data is permanently removed within 30 days. You receive a deletion certificate confirming the process.
How long is data retained?▼
Default retention is 90 days for scraped content. Audit logs are retained for 7 years. Enterprise customers can customize retention policies.
Is my data backed up?▼
Yes, we perform daily backups with 35-day point-in-time recovery capability. Backups are stored in a separate isolated project.
Encryption
Is my data encrypted in transit?▼
All data in transit is encrypted using TLS 1.3. We also support TLS 1.2 for backward compatibility.
Is my data encrypted at rest?▼
Yes, all data at rest is encrypted using AES-256. Database encryption uses Cloud SQL CMEK (Customer-Managed Encryption Keys).
Who manages encryption keys?▼
Keys are managed via GCP KMS. Enterprise customers can bring their own keys (BYOK) using Cloud HSM.
How often are encryption keys rotated?▼
Encryption keys are rotated every 90 days automatically. We also support manual rotation on demand.
Do you encrypt backup data?▼
Yes, all backups are encrypted with the same AES-256 standard as production data.
Access Control
Who has access to my data?▼
Access is restricted to authorized personnel with documented need-to-know. All access is logged and audited. No standing access to customer data.
How do you authenticate employees?▼
All employees require SSO via Google Workspace or Okta, plus MFA (hardware keys or authenticator apps).
Can I audit who accessed my account?▼
Yes, the audit log API (/v1/audit-log) provides detailed logs of all API access and administrative actions.
Do you conduct access reviews?▼
Yes, we conduct quarterly access reviews to ensure appropriate access levels are maintained.
What RBAC options are available?▼
We support workspace-level RBAC with roles: Admin, Editor, Viewer. Custom roles available for enterprise.
Compliance
Are you GDPR compliant?▼
Yes, we are GDPR compliant with a signed DPA available. We notify customers within 72 hours of any breach affecting their data.
Do you have a DPA?▼
Yes, our DPA is available at /dpa. For enterprise accounts, we provide custom DPAs with specific terms.
Are you CCPA compliant?▼
Yes, we comply with CCPA requirements including the right to delete, know, and opt-out of sale.
What certifications do you have?▼
SOC 2 Type I in progress (May 2026), SOC 2 Type II observation window started, GDPR/CCPA compliant. See /certifications for details.
Can I get a penetration test report?▼
Annual pen test summaries are available on request under NDA. Full reports are available for enterprise customers.
Do you support HIPAA?▼
HIPAA BAA is on our roadmap for Q3 2026. Contact sales@blazecrawl.dev to be notified when available.
What sub-processors do you use?▼
Our current sub-processors are listed at /subprocessors. We notify customers 30 days in advance of any changes.
Security Incidents
What happens if there is a data breach?▼
We notify affected customers within 72 hours per GDPR requirements. Incident response includes containment, investigation, remediation, and post-mortem.
Do you have an incident response plan?▼
Yes, we maintain a documented IRP with clear escalation procedures. We conduct quarterly incident response drills.
How do you handle vulnerabilities?▼
We run a vulnerability disclosure program via HackerOne. Critical vulnerabilities are addressed within 24 hours.
Can I report a security issue?▼
Yes, please report via our vulnerability disclosure program at /vulnerability-disclosure or email security@blazecrawl.dev.
What is your SLA for security incidents?▼
Critical (SEV1) incidents: 15-minute response, 4-hour resolution target. High (SEV2): 1-hour response, 24-hour resolution.
Data Processing
What data do you process?▼
We process: contact information, usage data, authentication credentials, and content you explicitly scrape using our service.
Do you use my data to train AI models?▼
No. Customer data is never used to train AI models. Data is isolated per-workspace and deleted according to retention policies.
Can I export my data?▼
Yes, use the API or dashboard to export all your data. We provide JSON, CSV, and NDJSON formats.
How do you handle sensitive data detection?▼
We automatically detect and redact PII (personally identifiable information) in scraped content when requested.
Do you scan for malware in scraped content?▼
Yes, all scraped content is scanned for malware before storage. Suspicious content is quarantined.
Network & Infrastructure
What cloud provider do you use?▼
We use Google Cloud Platform (GCP) for all infrastructure.
Is there network segmentation?▼
Yes, we use VPC service controls and private networking. Production databases are not internet-accessible.
Do you use DDoS protection?▼
Yes, we use Cloud Armor for DDoS protection and WAF capabilities.
How do you secure APIs?▼
All APIs require authentication (API key or OAuth). We implement rate limiting, input validation, and output encoding.
Is there a WAF?▼
Yes, we use Cloud Armor WAF with OWASP Top 10 protection rules.
Monitoring & Logging
Do you monitor for threats?▼
Yes, we use SIEM integration, intrusion detection, and continuous security monitoring. Alerts trigger within 5 minutes.
How long are logs retained?▼
Security logs are retained for 1 year. Audit logs are retained for 7 years per compliance requirements.
Can I integrate with my SIEM?▼
Yes, our audit log API supports SIEM webhook integration for real-time event streaming to Splunk, Datadog, or Elastic.
What metrics do you track?▼
We track: API latency (p50, p95, p99), error rates, authentication failures, and anomalous access patterns.
Third-Party Security
Are your dependencies secure?▼
We use automated dependency scanning (Snyk) and update dependencies monthly. Critical CVEs are addressed within 24 hours.
Do you have vendor risk management?▼
Yes, all critical vendors undergo security assessment before onboarding and annual review.
What payment processors do you use?▼
We use Stripe for payments. Stripe is PCI DSS Level 1 certified.
Employee Security
Do employees receive security training?▼
Yes, all employees complete annual security awareness training and sign acceptable use policies.
Can employees access customer data?▼
Only authorized personnel with documented need-to-know can access customer data, and all access is logged.
Do you background check employees?▼
Yes, all employees undergo background checks as part of our hiring process.
Have more questions?
Contact our security team at security@blazecrawl.dev