Security

SaaSyToadCRM runs on managed cloud infrastructure (application hosting and a managed Postgres database). Traffic between you and the app is encrypted in transit over HTTPS/TLS.

Every workspace is isolated. Queries are scoped to a single workspace at the data layer, so one client's records can't bleed into another's. For agencies running many clients from one login, that boundary is enforced on the server for every read and write, not just hidden in the interface.

Sensitive credentials you connect (things like API keys for your phone, email, and payment providers) are encrypted at rest before they're stored. They're decrypted only when we need them to do the job you asked for.

Accounts support two-factor authentication. We recommend every user turn it on. Access inside a workspace is controlled by roles, so people only see what their role allows.

Found something? We want to hear about it. Email security@saasytoad.com with the details and how to reproduce it. We'll get back to you, and we won't come after researchers acting in good faith.

We're a small team and we're honest about where we are. We're working toward formal third-party audits and certifications. We're not going to claim a badge we haven't earned. If a specific compliance requirement is a dealbreaker for you, ask us on a demo call and we'll tell you straight where it stands.