01 — What is encrypted
- contacts.notesFree-text notes on a contact.
- email_attachments.subjectSubject lines of inbound emails.
- email_attachments.bodyPlain-text and HTML body of inbound emails.
- email_attachments.rawBody content is stripped from the inbound payload before it is stored. Only headers and attachment metadata remain.
02 — What is not encrypted
Encryption breaks search and sort on a column. Query keys stay readable so the product works.
- Contact name, company, email, phone, tagsDrives search, listing, and inbound contact-matching.
- Deal title, stage, amount, currency, dateDrives the kanban board, totals, and filters.
- Activity log payloadsPseudonymous by design; email subjects were removed during the encryption rollout.
The database disk is encrypted at rest by the platform host (AES-256). That covers stolen-backup risk; the application layer covers vendor-read and key-isolation risk.
03 — Threat model
| Attack | Defended? |
|---|---|
| Stolen database backup or disk image | ✓ disk AES plus column-level ciphertext. |
| Database vendor reads tables directly | ✓ they don’t hold the application key. |
| Read-only SQL injection | ✓ leaks ciphertext, not plaintext. |
| Application host breach with environment access | ✗ attacker has both key and decryption path. |
| Logged-in user bypassing row-level security | ✗ encryption does not replace access control. |
04 — Compliance
GDPR Article 32 lists encryption of personal data as one of the appropriate technical measures. Combined with row-level security, append-only audit logging, per-tenant data isolation, and one-button export and account deletion, FlatCRM’s posture covers Article 32 and Article 25 (data protection by design) for a small-team controller.
FlatCRM is operated from Poland. A Data Processing Agreement is available on request to support@flatcrm.app.
05 — Reporting
Security reports go to support@flatcrm.app. Acknowledged within one business day.
Last verified 2026-05-06.