Start free Book a demo
By function
Featured capabilities
By role
By industry
By business size
Security at NairoCRM

Your data, locked down.

Encryption in transit and at rest. Least-privilege access. Audit logs for every change. NairoCRM is built so the answer to "is this safe?" is always yes.

Talk to security System status
Security posture · live
Security controls
Last reviewed today · all systems normal
Encryption in transit
TLS 1.3 enforced
Active
Encryption at rest
AES-256 on all databases
Active
Audit logs
Every action recorded
Live
Daily backups
Encrypted off-site
Verified
The pillars

Security at every layer.

Encrypted by default

TLS 1.3 in transit. AES-256 at rest. Keys rotated and managed by your hosting partner's KMS. No data leaves unencrypted.

Least-privilege access

Roles and permissions inside the product. Inside our team, production access is restricted to the people who need it and logged.

Audited and observable

Every change to a record, every login, every permission update logged with user and timestamp. Auditors stop being a fire drill.

Backed up. Recoverable.

Daily encrypted backups, retained off-site. Tested restore procedures. If something goes wrong, your data comes back.

How we actually do it

The practices behind the promise.

Data protection

  • TLS 1.3 enforced on all customer connections
  • AES-256 encryption at rest on databases and backups
  • Database snapshots encrypted and stored off-site
  • Sensitive fields (passwords, tokens) hashed with industry-standard algorithms
  • Strict separation between customer tenants

Access control

  • Role-based permissions inside every customer account
  • Two-factor authentication available on all accounts
  • Production access for our team restricted and logged
  • Engineer access reviewed quarterly
  • Mandatory password rotation and SSO support

Infrastructure

  • Hosted on enterprise-grade cloud infrastructure
  • Physical security handled by hosting partners (SOC 2, ISO 27001)
  • Regional data centres with redundancy
  • Network isolation between production and non-production
  • Firewalls and intrusion detection in front of every service

Secure development

  • Code review required for every change
  • Static analysis and dependency scanning in our pipeline
  • Periodic penetration testing by independent third parties
  • Responsible disclosure process for security researchers
  • Security training for all engineers

Monitoring & response

  • 24/7 alerting on performance and security signals
  • On-call rotation for production incidents
  • Documented incident response runbooks
  • Customer notification within the timeframe required by applicable law
  • Live incident history on our Status page

Privacy by design

  • Data minimization: we collect only what we need
  • Strict separation between customer data and our own analytics
  • Customer data never used to train models without consent
  • Data export and deletion tools built into the product
  • Full details in our Privacy Policy
Compliance

Built to meet the standards you need.

Aligned

GDPR & POPIA

Built around the principles of GDPR (EU) and POPIA (South Africa). Data minimization, lawful basis, data subject rights, breach notification. A signed DPA is available on request.

In progress

SOC 2 Type II

Our SOC 2 Type II programme is underway, building on the controls we run today. Customers under NDA can request our current status and audit timeline.

Inherited

ISO 27001 hosting

Our cloud hosting partners are ISO 27001 and SOC 2 certified. The physical, environmental, and infrastructure layers benefit from those programmes directly.

Frequently asked

The things buyers and IT teams ask.

Where is my data physically stored?
Data is stored in cloud infrastructure with our hosting partners. We choose providers with regional data centres and strong security programmes. For specific region requirements, contact us and we will discuss what is possible on your plan.
Do you sell customer data?
No. We never sell customer data. We do not use customer data to train models, target ads, or generate revenue outside of providing the NairoCRM service to you.
Can I get a signed DPA?
Yes. Our Data Processing Agreement is available on the DPA page, and for most customers, accepting our Terms of Service automatically incorporates it. If your procurement or legal team needs a counter-signed copy, contact us and we will send one within 5 business days.
What happens if there is a security incident?
We have a documented incident response process. Confirmed incidents that affect customer data trigger notifications to affected customers within the timeframe required by applicable law, with the information available at the time and updates as we learn more. Service-level incidents are published live on our Status page.
Can I delete all of my data?
Yes. You can delete records from inside the product, and you can request full deletion of your account. After cancellation we retain data for a short grace period (in case you reactivate), then delete or anonymize it. Some records may be retained longer where the law requires it (for example, billing records).
How do I report a vulnerability?
We welcome reports from security researchers. Send a detailed report to our security team using the contact link below. We will acknowledge receipt and work with you in good faith to investigate, fix, and recognise valid findings.

Have questions your IT team needs answered?

Our team can walk through controls, send compliance docs, or counter-sign a DPA. Reply time inside one business day.

Talk to security View system status