Trust & Security

Security at Krew

Krew is built to protect the operational data service businesses rely on every day, including customer records, jobs, invoices, communications, team access, billing status, and connected integrations.

Last updated

May 26, 2026

Security contact

support@joinkrew.co

Contents

1Security Overview
2Core Controls
3Infrastructure and Providers
4Data Protection Practices
5Communications and Integrations
6Operational Monitoring and Maintenance
7Customer Responsibilities
8Incident Reporting
9Compliance and Limitations

Security Overview

We use layered safeguards across application access, workspace authorization, provider infrastructure, webhook verification, secrets management, monitoring, and operational practices. Security is a shared responsibility: Krew protects the platform, and customers are responsible for managing users, permissions, devices, passwords, connected accounts, and the data they enter.

Core Controls

Authentication

Users authenticate through Supabase-backed sessions. Account creation enforces password complexity, and protected routes require an authenticated session.

Role-based access

Workspace access is governed by roles such as owner, sales, technician, marketing, and finance, with page-level permission checks for non-owner users.

Tenant separation

Workspace data is scoped by organization IDs, and application queries are designed to resolve the active organization before returning operational data.

Billing access gates

Paid workspace access is tied to Stripe subscription state. Users who start but do not complete checkout are routed back to payment rather than the dashboard.

Secure webhook handling

Stripe and Square webhook handlers support signature verification so payment events can be validated before updating billing or invoice state.

Tokenized public links

Public job-update and invoice-style workflows use unique tokens or token hashes rather than exposing authenticated workspace sessions.

Infrastructure and Providers

Krew relies on established infrastructure and service providers for hosting, database, authentication, payments, email, messaging, integrations, and AI features. Depending on enabled features, providers may include Supabase, Vercel or hosting infrastructure providers, Stripe, Square, Twilio, Resend, Google, Meta, OpenAI, Anthropic, and related operational tools.

These providers maintain their own security programs. Krew uses them to reduce direct handling of highly sensitive data where possible, such as payment card details that are processed by payment providers rather than stored by Krew.

Data Protection Practices

✓Sensitive configuration values are managed through environment variables and deployment secrets rather than being hard-coded into application code.
✓Service-role database access is kept server-side and used for controlled server workflows where elevated access is required.
✓Payment card details are handled by payment providers. Krew stores payment and subscription identifiers, not full card numbers.
✓OAuth tokens and connected-account identifiers are stored only as needed to operate requested integrations.
✓Access to customer data is limited by workspace membership, role, page permissions, and application-level authorization checks.
✓Application logs and error handling are used to diagnose issues while avoiding intentional exposure of sensitive secrets.

Communications and Integrations

Krew supports SMS, email, payments, Google, Meta, social posting, calendar sync, reviews, AI content, and other connected workflows. These integrations can involve third-party APIs and tokens. Customers should connect only accounts they are authorized to use and should disconnect integrations that are no longer needed.

Message delivery, payment processing, social publishing, and calendar sync may depend on third-party provider availability, provider permissions, rate limits, account status, and external platform policies.

Operational Monitoring and Maintenance

We monitor application behavior, investigate errors, apply updates, and address reliability or security issues as they are identified. We may temporarily restrict access, disable integrations, rotate credentials, or take other protective action if we detect suspicious activity, abuse, provider compromise, or risk to customer data.

Customer Responsibilities

Krew security works best when customers maintain strong internal controls. Workspace owners should:

✓Use strong, unique passwords and protect email accounts used for login and password reset.
✓Review team roles, page access, and owner/admin privileges regularly.
✓Remove users promptly when employees or contractors leave.
✓Limit integrations to accounts your business controls and disconnect unused integrations.
✓Avoid entering highly sensitive data, payment card numbers, government identifiers, or health information unless required for your own lawful business workflow.
✓Train staff on SMS, email, payment, and customer-data handling obligations.
✓Report suspected unauthorized access, exposed credentials, or data issues promptly.

Incident Reporting

If you believe your Krew account, workspace, customer data, integration tokens, or payment workflow may have been compromised, contact us immediately at support@joinkrew.co. Please include your workspace name, contact information, a summary of what happened, relevant timestamps, and any affected integrations or users.

Compliance and Limitations

Krew is designed for general business operations. Unless we separately agree in writing, Krew is not intended for storing regulated health information, classified information, full payment card data, bank credentials, government identifiers, or other highly sensitive regulated data.

This page describes current security practices at a high level. It is not a guarantee that the service is immune from all security risks, and it does not create contractual security commitments beyond those in our written agreements, Terms of Service, and Privacy Policy.