Security is the product

A backup tool is only as good as the trust you can place in it. Here is exactly how CRMDataSafe handles your data.

Read-only by design

We request only read scopes from the Attio API. CRMDataSafe is technically unable to create, modify or delete anything in your workspace — the permission simply doesn't exist on our token.

Your storage, not ours

Backups stream from Attio directly into your own Google Drive or OneDrive. We hold no copy of your CRM data. Revoke our access at any time and we're locked out instantly.

Encrypted credentials

OAuth tokens are encrypted at rest with AES-256-GCM using keys that never leave our secret manager. Tokens are never written to logs and never exposed to the browser.

Isolated tenant data

Every database row is protected by Postgres row-level security. Your account can only ever see its own connections, schedules and run history.

Minimal data retention

We store metadata only: run timestamps, record counts and error messages. The backup content itself lives exclusively in your cloud storage.

Least-privilege storage access

On Google Drive we use the drive.file scope, which only grants access to files CRMDataSafe itself creates — we cannot see the rest of your Drive.

Questions about our security posture?

We're happy to walk your team through our architecture, data flows and subprocessors.

security@CRMDataSafe.app Start free trial