Security & Trust

RedCrown proves which model config is cheapest at equal-or-better quality on your own data. This page states plainly how your data and keys are handled. We describe only what is true today. We hold no formal certification (no SOC 2, no ISO 27001) and do not claim any.

Last updated 2026-07-02

What stays on your machine

The redcrown CLI runs evals locally. Your provider keys and your raw inputs and model outputs never leave your machine during a local redcrown eval. When you choose to publish a proof, only the aggregate ranked results are uploaded.

Keys and secrets, encrypted at rest

Proofs, retention, and revocation

Tenant isolation

Every authenticated data route is workspace-scoped. Access is validated against your workspace memberships, and stored data is tagged by workspace, so one tenant's data is never returned to another. Database row-level security is deny-by-default on the sensitive tables.

Subprocessors

RedCrown uses the following platform subprocessors. The model providers you evaluate are connected with your own keys and are under your control.

SubprocessorPurpose
RailwayBackend application compute
Supabase (Postgres + object storage)Application database and encrypted eval-input storage
NetlifyStatic hosting for the marketing site and the app
StripeSubscription billing (card data never reaches RedCrown)
Model providers you connectRun your eval calls under your own keys (e.g. OpenAI, Anthropic, AWS, Deepgram, OpenRouter)

Enterprise

For regulated teams we discuss self-hosted / VPC deployment, private model routing, SSO, audit logging, and data residency, plus neutral attestation and a buyer-controlled holdout re-run. Talk to us.

Reporting a vulnerability

Found a security issue? Email security@redcrown.ai. Please include steps to reproduce and give us a reasonable window to remediate before any public disclosure. We do not currently run a paid bug-bounty program.