Skip to main content
Prax CRM — Smart. Secure. Scalable.®

Smart · Secure · Scalable

Security designed in,
not bolted on.

Workspace-level isolation, role-and-designation access control, server-side permission guards, brute-force protection, PCI-DSS-aligned card handling — all defaults, on every plan.

🏢

Workspace isolation

Every list query goes through a workspaceId index. Every mutation re-verifies the row's workspace before patching. Architected for zero cross-tenant data exposure — independent third-party verification on the v1.0 roadmap.

🔒

Encrypted in transit & at rest

TLS 1.2+ for every request. All records encrypted at rest with AES-256 on managed infrastructure.

🛡

Role-based access

Three tiers — admin, employee, customer — plus designation-level permissions and per-user overrides. Role and permission edits guarded server-side, not just hidden in the UI.

Brute-force protection

Login, registration, and password reset are rate-limited per email and per IP. Failed attempts throttle automatically — no manual ops needed.

🔐

Multi-factor authentication

TOTP via any RFC-6238 authenticator (Google Authenticator, Authy, 1Password) and WebAuthn passkeys (Touch ID, Face ID, Windows Hello, hardware keys). Available on every plan. 10 single-use recovery codes per account.

📜

Audit trail

Every create, edit, delete, login and card reveal written to an immutable log — who, what, when, across every record type. 90-day retention on every plan; extended retention on Enterprise.

🔑

Session control

See every active login by user and device. Revoke any session instantly from the admin panel. Session tokens never returned to admins; super-admin sessions can't be force-logged-out by tenant admins.

💳

PCI-DSS aligned

Card CVVs are never stored. PAN is reduced to last-four for display. Sensitive payment data lives only in your gateway, not in our DB.

Frozen snapshots

Payslips and invoices freeze their context at creation — historical records stay correct forever, even as master data changes.

Data export, anytime

Every table is exportable to CSV or JSON from the admin panel. Your data is yours — including the schema for it.

Compliance

Where we are on the compliance map.

We're new and we're transparent about it. Here's what's done, what's in progress, and what we'll commit to as you grow with us.

GDPR

Data processing addendum available on request

Data residency

Today: US. EU + APAC on the v1.0 roadmap for Enterprise

Vulnerability disclosure

privacy@praxcrm.com — see /.well-known/security.txt

Compliance roadmap

SOC 2 + ISO 27001 will be pursued before our first Enterprise contract — auditor and timeline will be published here once engaged.

Frequently asked security questions

Where is my data physically stored?+
On Convex's managed infrastructure in the United States. EU and APAC residency are on the v1.0 roadmap for Enterprise customers; we'll match the request as soon as the backend supports the additional region.
Can you see my data?+
Only for diagnostics when you explicitly request help — and we log every access. Engineering data access is role-restricted and audited.
What happens if I cancel?+
Your data is retained read-only for 30 days. Export anytime during that window. After 30 days we delete it completely and send you a deletion attestation.
Do you support SSO?+
Google Workspace SSO is included on Growth and Enterprise plans — most Google Workspace teams can sign in with their existing identity. SAML 2.0 + SCIM provisioning are Enterprise-only. OIDC support coming in 2026.
How are passwords stored?+
Argon2id (m=64MB, t=3, p=1) with per-user salts — the OWASP-recommended modern hashing algorithm. Memory-hard, GPU-resistant. Legacy accounts created before the rollout transparently re-hash on next login. Never plaintext, never reversible. Admins cannot see passwords — only reset them.
Can I sign a DPA?+
Yes. We have a standard DPA available on request for any paid customer, and a custom DPA for Enterprise.

Need a security review before committing?

We're happy to walk your team through it. No sales pressure.

Talk to us