Security & Compliance

Your Data. Our Responsibility.

CMG Workflow is built with enterprise-grade security from the ground up. Here's exactly how we protect your agency's data.

Security at a Glance

256-bit AES Encryption

All data encrypted at rest and in transit using TLS 1.3. Your agency's data is protected with the same encryption standard used by banks and government agencies.

EU Data Centers

Hosted on Vercel (Frankfurt) and Supabase (EU region). Your data never leaves the European Union.

Row-Level Security

Every database query is filtered by organization. Tenant A can never see Tenant B's data — enforced at the database level, not just application code.

Role-Based Access

Granular permissions system. Control who can view, edit, or manage leads, clients, billing, and settings.

GDPR Compliance

As an EU company, GDPR is not an afterthought — it's the foundation of how we handle data.

EU Company

CMG Frameworks SRL is an EU company (Romania) subject to GDPR by default.

Data Processing Agreement

DPA available on request for all customers.

Right to Erasure

Users can request complete data deletion at /privacy/data-deletion.

Data Portability

Export all your data at any time in standard formats.

Consent Management

Cookie consent and tracking preferences built in.

Data Minimization

We only collect what's necessary to deliver the service.

Sub-processors

Vercel (hosting, EU), Supabase (database, EU), Google (Gemini AI, for AI features only).

Infrastructure Security

Vercel Edge Network

Automatic DDoS protection and global CDN for fast, reliable delivery.

Supabase PostgreSQL

Managed database with automatic backups and point-in-time recovery.

HTTPS Everywhere

HSTS enforced, with security headers including CSP, X-Frame-Options, and X-Content-Type-Options.

No Plaintext Secrets

All credentials stored in environment variables, never in code.

Multi-Tenant Data Isolation

For agencies managing sensitive client data, tenant isolation is non-negotiable. Here's how we guarantee it.

Unique Organization IDs

Every organization has a cryptographically unique identifier. All data is scoped to this ID.

RLS on Every Table

Row-Level Security policies are enforced on every single table in the database.

Database-Level Enforcement

Even if application code has a bug, the database rejects cross-tenant queries. Security is not just in the app layer.

Separate JWT Claims

Organization identification is embedded in JWT tokens, verified on every request.

Elevated Admin Privileges

Admin operations require elevated privileges that are strictly audited and controlled.

Application Security

Input Validation

Zod schemas on all server actions — every input is validated before processing.

CSRF Protection

Built-in protection via Next.js server actions.

Rate Limiting

API endpoints are rate-limited to prevent abuse.

Webhook Verification

Signature verification for Meta, WhatsApp, and Stripe webhooks.

No SQL Injection

All queries use parameterized statements via the Supabase client.

Security Headers

Content Security Policy, X-Frame-Options, and other protective headers.

Dependency Updates

Regular dependency audits and updates to patch known vulnerabilities.

AI & Data Privacy

We know agencies worry about AI and their data. Here's our commitment.

AI features (Cosmos AI, WhatsApp bot) use Google Gemini for natural language processing.

No Training on Your Data

Your CRM data is NOT used to train AI models. Period.

Stateless Processing

AI processing is stateless — queries are not stored by Google after processing.

AI is Optional

You can use CMG Workflow without AI features if preferred. All core CRM functionality works independently.

Auditable Operations

All AI operations are logged and auditable. You can see exactly what the AI did and when.

Certifications & Standards

GDPR Compliant

EU company, EU data centers, full data subject rights.

SOC 2 Type II

Via Supabase (database provider).

ISO 27001

Via Vercel (hosting provider).

PCI DSS

Via payment processors (Stripe).

Our infrastructure partners maintain these certifications. CMG Frameworks SRL is pursuing independent SOC 2 certification.

Frequently Asked Questions

Is CMG Workflow GDPR compliant?

Yes. CMG Frameworks SRL is an EU-registered company based in Romania, subject to GDPR by default. All data is stored in EU data centers (Vercel Frankfurt, Supabase EU region). We offer Data Processing Agreements on request, support right to erasure, data portability, and practice data minimization.

Where is my data stored?

All data is stored exclusively within the European Union. Our application is hosted on Vercel (Frankfurt, Germany) and our database runs on Supabase (EU region). Your data never leaves the European Union.

Can other organizations see my data?

No. CMG Workflow uses Row-Level Security (RLS) enforced at the PostgreSQL database level. Every table has RLS policies that filter by organization ID. Even if there were an application-level bug, the database itself would reject any cross-tenant query. Each organization is completely isolated.

Does CMG Workflow use my data to train AI?

No. Our AI features (Cosmos AI assistant, WhatsApp bot) use Google Gemini for processing, but your CRM data is never used to train AI models. AI processing is stateless — queries are not stored by Google. You can also use CMG Workflow without AI features if preferred.

Can I export or delete my data?

Yes. You can export all your data at any time from within the application. For complete data deletion, you can submit a request through our data deletion page at /privacy/data-deletion. We process deletion requests in accordance with GDPR requirements.

Questions about security?

We're happy to discuss our security practices in detail, provide a Data Processing Agreement, or answer any specific concerns.

security@cmgworkflow.com

Or visit our contact page