We're early. Here's what's actually true today — written plain, without the whitepaper theatre.
Every workspace is a hard boundary. Your crew, your clients, your pipeline — agents in one workspace never see, reference, or learn from another's data. Enforced at the data tier, not just in application code.
Every LLM call is opted out of training. Your emails, proposals, financials, and internal reasoning never enter a training corpus — not ours, not our model providers'. Contractually guaranteed.
Everything stored is encrypted. Everything that moves uses TLS. Secrets live in a managed vault, never in code. The specific controls we rely on are in the DPA — available on request when you're ready to sign something.
Cruma's core product feature is also its core security feature. Every agent action is logged with the inputs, the reasoning, and the output. You can replay any decision. Nothing ships without your nod on things that matter.
Required disclosure for any vendor review. This is the full list today. We'll email you if it changes.
Public security posture should match what you could verify if you asked. So here's the list of things we're working toward — and honest about not having today.
SOC 2 Type II. In progress. We're early — the audit is kicked off but not complete.
Enterprise SSO / SCIM. Not shipped. Today: email auth with magic links. SSO arrives when we have a tier to put it on.
Customer-managed encryption keys. On the roadmap. Platform keys today, CMEK when enterprise customers pull us there.
Bug bounty / disclosure program. Informal today: email security@cruma.ai and you'll hear back from Sean directly. Formal program when it makes sense.