Unladen CRM

Security

Last updated 15 July 2026

Unladen CRM holds the most sensitive information an advice practice has. This page describes, plainly, how it is protected. We would rather be specific than impressive-sounding.

Encryption designed so we can’t read your client records

  • Client records are encrypted with AES-256-GCM using a data-encryption key that is unique to each practice.
  • Each practice’s key is itself stored only in encrypted (wrapped) form. The master key that wraps it is never stored in the database; it exists only in the application’s runtime environment.
  • The result: a copy of the database alone is not enough to read client records, and reading them is not part of how we operate the service.
  • All traffic is encrypted in transit with TLS.

Multi-factor authentication, enforced by the database

  • Every account must enrol an authenticator app. There are no password-only accounts.
  • Enforcement goes deeper than the login screen: the database itself refuses to return practice data to any session that has not verified a second factor. A stolen password on its own retrieves nothing.
  • Accounts are created by invitation only; there is no public signup.

Tenant isolation

  • Every row of practice data is protected by database row-level security: queries can only ever return data belonging to the signed-in user’s own practice.
  • Each practice’s documents live in private storage, accessible only through the application.

Australian hosting

  • Database, documents and backups are hosted in Sydney (AWS ap-southeast-2, via Supabase). Application code runs in Sydney on Vercel.
  • Everyone who builds and supports Unladen CRM is based in Australia.
  • One qualified exception: transactional emails (invitations, password resets) are delivered via Resend and processed in the United States. Client records are never included in emails.

Accountability

  • Sensitive actions in the service are recorded in an append-only audit log, one that the database prevents anyone, including us, from quietly editing.
  • Databases are backed up daily, with backups retained for 7 days.

Our providers

  • Supabase: database, document storage and authentication (Sydney region)
  • Vercel: application hosting (Sydney functions)
  • Resend: transactional email (United States)

Reporting a vulnerability

If you believe you have found a security issue in Unladen CRM, please email admin@unladencrm.com.au with the details. We read these promptly, we will not take action against good-faith research, and we appreciate the help.