Security & Trust

Your data is safe with us

illmCRM is built on the same security fundamentals that enterprise software relies on — EU hosting, end-to-end encryption, daily backups, and full data portability.

EU Infrastructure

IONOS EU

All data is hosted on IONOS servers located in the European Union. Your customer data never leaves EU jurisdiction, helping you meet GDPR territorial requirements.

Encryption in Transit & at Rest

TLS 1.3 · bcrypt

Every connection to illmCRM is encrypted with TLS 1.3. Passwords are hashed using bcrypt (cost factor 12). API tokens are signed with HS256 JWTs and expire automatically.

Daily Encrypted Backups

Daily · 30-day retention

Automated PostgreSQL backups run daily at 02:00 UTC. Dumps are gzip-compressed and uploaded to S3-compatible storage. Daily backups are retained for 30 days; weekly snapshots for 90 days.

GDPR Data Portability

GDPR Art. 20

Any tenant administrator can download a full CSV export of all their CRM data — contacts, accounts, deals, leads, and users — at any time via the Settings page. No lock-in, no delays.

Outbound Webhooks

HMAC-SHA256

Connect illmCRM to Zapier, Make, Slack, or any HTTP endpoint using our outbound webhook system. All payloads are HMAC-SHA256 signed so you can verify authenticity at the receiving end.

Access Control

RBAC · JWT

Role-based access control (admin, manager, user) is enforced at the API layer. Short-lived JWTs with silent refresh limit the blast radius of a compromised token.

Audit Logging

Audit trail

Security-relevant actions — including data exports, session invalidations, and webhook registrations — are recorded in tamper-evident audit logs stored in the same transactional database.

Responsible Disclosure

Bug bounty (email)

We take vulnerability reports seriously. If you discover a security issue, please email us directly — we commit to acknowledging reports within 48 hours and issuing fixes for critical issues within 7 days.

Uptime commitment

We target 99.5% monthly uptime for all production services. Planned maintenance windows are announced at least 24 hours in advance. Unplanned incidents are communicated via the status page below.

View live status page →

Security FAQ

Where is my data stored?

On IONOS dedicated servers in the EU (Frankfurt region). No data is replicated to US or Asian regions without your explicit consent.

Who can access my data?

Only authorised platform operators and your own tenant users. Platform operators access data only to resolve support tickets or apply maintenance, and access is logged.

What happens if I cancel my subscription?

Your data remains accessible for 30 days after cancellation so you can export it. After 30 days, tenant data is purged from active storage. Backup copies are removed at the end of their retention window (max 90 days from last backup).

How do I export my data?

Log in to illmCRM, go to Settings → Data Export, and choose the modules you want. A CSV download starts immediately. No request forms, no waiting.

Is illmCRM SOC 2 certified?

Not yet — we are a growing platform. We follow the security controls that underpin SOC 2 Type II and plan a formal audit as we scale. The architecture and practices described on this page are implemented today.

Have a security question?

For vulnerability reports, data-processing agreements (DPA), or general security enquiries, email us directly.

support@illmsoft.com