Security

Security is a first-class concern at DeskCrew. This page describes, in plain language, how we protect the support data that runs through the Service. We aim to be honest about what we do today rather than to over-claim certifications we do not yet hold.

Per-workspace data isolation

DeskCrew is multi-tenant: every record belongs to exactly one workspace (tenant), and access is scoped to that tenant throughout the stack. Queries are filtered by tenant, and the widget and public API are origin-locked to each tenant’s configured allowlist. One customer’s data is never exposed to another.

Encryption

• In transit — all traffic to the Service is served over HTTPS/TLS.
• At rest — the database is hosted on managed infrastructure with encryption at rest, and sensitive secrets (such as integration and identity-signing secrets) are encrypted before they are stored.

Signed inbound-email webhooks

Email-to-ticket and delivery events arrive via Mailgun. We verify the cryptographic signature on every inbound webhook before processing it, so forged or replayed requests are rejected.

Human-in-the-loop for AI & agent actions

The AI auto-responder and the x402 agent door never message a customer on their own. AI-generated replies and agent-proposed actions land in an approval queue for a human on the team to review, edit, and approve. The agent layer ships off by default behind kill-switches and fails closed.

Rate limiting & abuse protection

Public endpoints — the widget submit path, agent door, and API — are rate-limited and input-validated to protect against abuse and runaway usage. Agent payments carry per-wallet caps and a reputation gate.

Authentication & access control

Operators authenticate to sign in to a workspace, and sensitive actions (rotating widget keys, managing allowed origins, revealing identity secrets) are gated to admin/operator roles and recorded in an audit trail.

Infrastructure

DeskCrew runs on Vercel with a managed Supabase (PostgreSQL) database. We rely on these providers’ platform-level security controls in addition to our own application safeguards. See our Privacy Policy for the full sub-processor list.

Responsible disclosure

If you believe you have found a security vulnerability, please report it privately to security@deskcrew.io (or hello@deskcrew.io). Please give us a reasonable opportunity to investigate and remediate before any public disclosure, and do not access or modify data that is not yours while testing. We appreciate good-faith research and will work with you.

This page describes our current practices for transparency and is not a contractual warranty or a substitute for a formal security assessment. For security questions specific to your deployment, contact us.