Security at Corleh
Protecting your data is foundational to everything we build. This page outlines the technical and organisational measures we use to keep your CRM platform and your contacts' information safe.
Encryption at Rest & in Transit
All data is encrypted at rest using AES-256 and transmitted exclusively over TLS 1.2+ connections. Database credentials and API keys are stored in encrypted environment vaults, never in source code.
OAuth 2.0 Authentication
Corleh CRM uses OAuth 2.0 exclusively — we never store your Google or LinkedIn passwords. Access tokens are encrypted and refreshed on a rolling basis. Sessions are signed and validated server-side on every request.
Cloud Infrastructure
Hosted on Vercel's global edge network with automatic DDoS mitigation and redundant compute. Database tier runs on Neon Serverless PostgreSQL with point-in-time recovery and automatic backups every 24 hours.
Least-Privilege Access
The platform requests only the minimum OAuth scopes needed for each integration. Google access is scoped to Gmail (read/compose) and Calendar. LinkedIn access is scoped to posting and profile reads only.
Audit Logging
All significant actions — logins, data exports, bulk operations, API calls — are recorded in an immutable audit log tied to your authenticated session. Logs are retained for a minimum of 90 days.
Dependency & Vulnerability Management
Dependencies are reviewed and updated on a rolling basis. We monitor advisories via npm audit and GitHub Dependabot. Critical security patches are deployed within 24 hours of disclosure.
Data Handling Summary
Contact data — Names, emails, phone numbers, LinkedIn profiles, and notes stored in your CRM are held in your isolated database partition. They are never sold, rented, or shared with third parties for marketing purposes.
Email & calendar data — Gmail and Google Calendar data is accessed via your authenticated Google OAuth session. We cache the minimum data required to render the in-app experience and do not retain email body content beyond your active session unless explicitly used by a feature (e.g. AI summarisation).
LinkedIn data — LinkedIn OAuth tokens are stored encrypted in your user record. Post content and profile data fetched via the LinkedIn API is used solely to operate the Social Media feature on your behalf.
AI interactions — Queries sent to the AI Agent may be processed by Anthropic's Claude API. We do not use your data to train third-party models. See Anthropic's privacy policy for their data practices.
Responsible Disclosure
If you discover a potential security vulnerability in Corleh CRM, we ask that you report it to us responsibly before any public disclosure. We will acknowledge your report within 48 hours and provide a resolution timeline. We do not take legal action against researchers acting in good faith.
security@corleh.comPrivacy Policy
How we collect, use, store, and protect your personal data and your contacts' information.
Read Privacy Policy →Terms of Service
The legal agreement governing your use of Corleh CRM, including data rights, acceptable use, and liability.
Read Terms of Service →Last reviewed: 13 May 2026