Security
How we protect your CRM data
✓
Encryption at rest
OAuth access tokens and refresh tokens are encrypted using Fernet symmetric encryption (AES-128-CBC) before storage. Encryption keys are environment-managed, never committed to code.
✓
Encryption in transit
All connections use HTTPS/TLS. This includes browser-to-server, server-to-CRM APIs, and server-to-AI services. No data is transmitted over unencrypted channels.
✓
Password security
Passwords are hashed with bcrypt (work factor 12). We never store or log plaintext passwords. Brute force protection limits login attempts to 10 per minute per IP.
✓
Read-only CRM access
By default, we request only read permissions from your CRM via OAuth. We never modify, delete, or write to your CRM data unless you explicitly initiate a cross-CRM sync.
✓
7-day data retention
Export files are automatically deleted from our servers after 7 days. You can download your data at any time during this window. After deletion, no copy remains on our infrastructure.
✓
One-click disconnect
Revoke CRM access instantly from the dashboard. When you disconnect, we immediately delete your encrypted OAuth tokens and all associated export data.
✓
No data selling or sharing
Your CRM data is never sold, shared with third parties, or used for advertising. The only external service that receives any data is our AI provider for Smart Filters — and it only receives field names, never actual record values.
✓
OAuth 2.1 with PKCE
CRM connections use OAuth 2.1 with Proof Key for Code Exchange (PKCE) where supported, preventing authorization code interception attacks.
✓
Rate limit protection
We use only 70% of your CRM's API rate limit, leaving 30% headroom for your team's other integrations. Adaptive backoff prevents any risk of exceeding limits.
AI & Smart Filters
When you use Smart Filters, we send only field names and sample value formats to our AI provider — never your actual contact names, emails, phone numbers, or deal values. All filtering is performed locally on our servers against your exported data.
Infrastructure
- Hosted on dedicated VPS infrastructure
- SQLite database with WAL mode for data integrity
- CSRF protection on all OAuth flows
- Session cookies are HTTP-only and SameSite=Lax
- No third-party analytics, tracking scripts, or advertising cookies
Compliance
- GDPR: EU users have full rights to access, export, rectify, and delete their data. Contact us to exercise these rights.
- Data portability: All exports are in standard JSONL and CSV formats, compatible with any system.
- Payment processing: Handled entirely by Stripe. We never see or store credit card numbers.
Reporting a vulnerability
If you discover a security issue, please email security@lucilead.com. We take all reports seriously and will respond within 48 hours.
← Back to CRM Liberator ·
Terms ·
Privacy