Security & Compliance

This page covers the security and compliance controls available in HotCRM. Many are configured at the platform layer; some are policy choices you make as an admin.

Authentication

Username + password

• Strong password policy enforced (min length, complexity, history, expiration).
• Bcrypt-hashed; never stored in plain text.
• Account lockout after N failed attempts (configurable; default 5).

Multi-factor authentication (MFA)

• TOTP (Google Authenticator, Authy, 1Password) — recommended for all users.
• WebAuthn / hardware keys (YubiKey, Touch ID).
• Backup recovery codes.
• Admins should mandate MFA for all users — Setup → Security → MFA Policy.

Single Sign-On (SSO)

Supported protocols:

• SAML 2.0 — Okta, Azure AD, Google Workspace, OneLogin, Ping.
• OpenID Connect (OIDC) — Auth0, AWS Cognito.
• OAuth 2.0 — for delegated app access.

Configure at Setup → Security → SSO. When SSO is on, you can disable password login entirely.

SCIM provisioning

Sync users from your identity provider automatically:

• New IdP user → new HotCRM user with the right profile + role.
• IdP group changes → HotCRM permission set changes.
• IdP user deactivation → HotCRM user deactivated, records reassigned.

Configure at Setup → Security → SCIM.

Authorisation

The full layered model is in Sharing & Security. Quick summary:

Network & login controls

• IP allowlists — restrict login to specific IPs/ranges (per profile).
• Login hours — restrict login to working hours (per profile).
• Session timeout — idle timeout (default 30 min) and absolute timeout (default 12 hr).
• Concurrent sessions — max simultaneous sessions per user.
• Device trust — flag new devices and require email confirmation.

Configure at Setup → Security → Session Policy.

Audit logs

Every meaningful action is logged immutably:

Retention:

• 90 days in the live audit log UI.
• 7 years in the archived audit log (S3 / object storage).
• Configurable to longer for regulated industries.

Read the audit log at Setup → Security → Audit Log. Export to CSV or stream to your SIEM (Splunk, Datadog, Elastic).

Encryption

At rest

• Database: AES-256 column-level encryption for sensitive fields (SSN, payment, health data).
• File storage: AES-256 server-side encryption.
• Backups: encrypted with separate keys.

In transit

• TLS 1.3 for all HTTP traffic.
• mTLS between internal services.
• Webhooks signed with HMAC-SHA256 for integrity.

Field-level encryption

Mark sensitive fields as encrypted in the field definition. Encrypted fields are:

• Stored encrypted in the database.
• Visible only to users with the View Encrypted Data permission.
• Excluded from SQL-level queries (only the platform can decrypt).
• Logged with their decrypted value masked in the audit log.

Data residency

Choose where customer data is stored:

• US (default for North America customers)
• EU (Frankfurt / Dublin)
• APAC (Tokyo / Sydney)
• Self-hosted — your VPC, your control.

Cross-region transfers can be disabled per tenant for compliance with EU data residency rules.

GDPR

Right of access

A subject can request all their data:

1. Setup → Privacy → Data Subject Requests → New → Export.
2. Provide the contact's email.
3. The system generates a JSON / PDF bundle of every record referencing them.
4. Deliver to the subject; the request is logged in the privacy audit log.

Right of erasure

1. Setup → Privacy → Data Subject Requests → New → Delete or Anonymise.
2. Preview what will be affected.
3. Choose Delete (purge) or Anonymise (mask PII, keep records for analytics).
4. Confirm — system produces an audit certificate.

Anonymisation typically preferred — it preserves the integrity of historical reports.

Consent management

For marketing:

• Consent fields on contact/lead — capture lawful basis and consent date.
• Unsubscribe — auto-handled by email campaigns; updates the contact.
• Suppression list — anyone unsubscribed is excluded from all future campaigns globally.

Data Processing Agreements

A DPA template ships in Setup → Privacy → DPA.

SOC 2 / ISO 27001

For SaaS deployments, HotCRM operates under SOC 2 Type II and ISO 27001 controls. Reports available under NDA from your account team.

Key controls:

• Least-privilege access for engineering team.
• Production access via just-in-time approvals.
• Quarterly access reviews.
• Annual penetration testing.
• Disaster recovery tested twice a year.
• Bug bounty programme.

HIPAA / PHI

Available as an add-on for healthcare customers — additional BAA, encryption controls, and audit-log retention required. Contact your account team to enable.

Disaster recovery

• RPO (Recovery Point Objective): 1 hour.
• RTO (Recovery Time Objective): 4 hours.
• Daily snapshots retained 30 days.
• Weekly snapshots retained 1 year.
• Cross-region replication for production tenants on the Enterprise plan.

Self-hosted customers — see Setup checklist for recommended backup cadence.

Security incident response

• Status page — status.your-hotcrm-url — incidents reported in real time.
• Notification — security incidents affecting customer data are reported within 72 hours per GDPR.
• Security email — security@yourcompany.com for reporting vulnerabilities.
• Bug bounty — see the program page.

Tips for admins

• ✅ Mandate MFA for all users — biggest security ROI.
• ✅ Turn on SSO + SCIM as soon as you have >10 users.
• ✅ Restrict System Admin to 2-3 people max.
• ✅ Review audit log monthly — look for unusual export volumes or failed-login spikes.
• ✅ Stream audit log to SIEM for centralised monitoring.
• ✅ Run a tabletop exercise annually — what happens if an admin account is compromised?