Security Model
Crawbl is designed for enterprises that require rigorous security controls. This page summarizes our security approach.
Security Principles
Zero Trust Architecture
Every component operates with zero trust:
| Principle | Implementation |
|---|---|
| Never trust, always verify | All requests authenticated, all services verify each other |
| Least privilege | Components have minimum permissions needed |
| Explicit verification | No implicit trust based on network location |
| Assume breach | Segmentation limits blast radius |
Defense in Depth
Multiple security layers protect the platform:
Click diagram to zoom
Secret Management
Zero Secrets in Git
All sensitive data is stored externally:
| Secret Type | Storage | Access |
|---|---|---|
| API Keys | Managed secrets service | Automated sync to runtime |
| OAuth Tokens | Managed secrets service | Per-user encrypted storage |
| Database Credentials | Managed secrets service | Kubernetes secrets injection |
| TLS Certificates | Automated certificate management | Automatic renewal |
Secret Flow
Click diagram to zoom
Secrets are:
- Never committed to Git
- Rotated automatically where possible
- Scoped to specific workspaces
- Audited for access
Network Security
Runtime Isolation
Agent runtimes have no direct internet access:
Click diagram to zoom
All external communication goes through the orchestrator:
| Traffic Type | Allowed? | Mediated By |
|---|---|---|
| User → Orchestrator | ✅ Yes | Ingress + Auth |
| Orchestrator → Agent runtime | ✅ Yes | MCP/Webhook |
| Agent runtime → Orchestrator | ✅ Yes | MCP callback |
| Agent runtime → Internet | ❌ No | N/A |
| Orchestrator → Internet | ✅ Yes | Egress controls |
HMAC Authentication
Internal service-to-service communication uses HMAC:
- Timestamp-based request signing
- Configurable key rotation
- Replay attack prevention
- Audit trail for all requests
Authentication & Authorization
User Authentication
| Method | Use Case |
|---|---|
| Identity provider JWT | Mobile app users |
| API tokens | Programmatic access |
| API Keys | Service integrations (planned) |
Authorization Model
Workspace-scoped permissions:
Organization
└── Workspace
└── User Permissions
└── Resource Access
Users can only access resources within their workspace. Cross-workspace access requires explicit invitation.
Compliance Capabilities
Audit Trail
All actions are logged:
- Request timestamp and source
- User identity and workspace
- Action type and parameters
- Result status
Data Residency
Since you deploy Crawbl in your infrastructure:
- Full control over data location
- No data leaves your environment
- Compliance with regional requirements (GDPR, etc.)
Security Certifications
The platform is designed to support:
- SOC 2 Type II
- HIPAA (with proper configuration)
- GDPR
- ISO 27001 (with proper configuration)
Deep Dive
For detailed technical documentation:
- Authentication Flow - How users authenticate