Security

Security Posture Overview

This document is intended for security teams, IT managers, and enterprise buyers evaluating CrewSynx. It covers application security practices, vulnerability management, and deployment guidance. Because CrewSynx is self-hosted, your organisation controls the environment — this document explains what we are responsible for and what you are responsible for.

Last updated: 21 April 2026

Architecture & Data Ownership

CrewSynx is a self-hosted application — you deploy it on infrastructure you own and control.
Butterfly Instruments has no network access to, and retains no copy of, any data processed inside your instance.
No mandatory outbound connections to Butterfly Instruments servers are required at runtime.
Air-gapped deployments are fully supported.
All data at rest and in transit is managed entirely within your infrastructure boundary.

Application Security

Authentication uses industry-standard password hashing (bcrypt) — passwords are never stored in plaintext.
All API endpoints enforce role-based access control (RBAC) with organisation-level data isolation.
Input validation and parameterised queries are used throughout to prevent injection attacks.
HTTPS/TLS is required and enforced for all web-facing endpoints.
Session tokens are cryptographically signed with expiry enforced server-side.
Sensitive fields are excluded from API responses and application logs.

Development Practices

Dependencies are reviewed for known vulnerabilities before each release.
The codebase follows OWASP Top 10 guidelines as a baseline for security review.
No third-party analytics, advertising SDKs, or telemetry libraries are bundled in the application.
New features undergo internal security review before release.
Source code is version-controlled with signed commits for release builds.

Vulnerability Management

Security vulnerabilities can be reported confidentially to contact@butterflyinstruments.com.
We acknowledge receipt of vulnerability reports within 2 business days.
Critical and high-severity vulnerabilities are prioritised and patched as quickly as possible.
Security patches are made available to all active license holders via versioned releases.
License holders are notified by email when a security-relevant update is released.
We request a reasonable coordinated disclosure window before public reporting of vulnerabilities.

Incident & Update Notification

License holders are notified directly by email when security patches are released.
Release notes for each version clearly indicate whether a release includes security fixes.
There are no automatic or forced updates — you control when and whether to apply updates.

Deployment Security Guidance

Deploy behind a reverse proxy (e.g. Nginx, Caddy) with TLS termination.
Restrict database access to the application server only — do not expose the database publicly.
Enable firewall rules to limit inbound access to only required ports (80/443).
Schedule regular backups of the database and store them off-server.
Keep the host operating system and all system packages updated.
Use strong, unique credentials for the database and application admin accounts.
Review and apply the principle of least privilege for all system accounts.

Responsibility Split

As a self-hosted product, security responsibilities are shared. The table below summarises who is responsible for what.

Area	Butterfly Instruments	Your Organisation
Application code security	✓ Responsible
Security patch releases	✓ Responsible
Applying security updates		✓ Responsible
Server & infrastructure hardening		✓ Responsible
Data backup & recovery		✓ Responsible
Network & firewall configuration		✓ Responsible
Data protection compliance (GDPR etc.)		✓ Responsible
Access & user account management		✓ Responsible

Contact & Disclosure

For security questions, vendor questionnaire support, penetration test requests, or to report a vulnerability, contact contact@butterflyinstruments.com. We aim to respond to security-related inquiries within 2 business days.

Security & Compliance FAQ →·EU Data Processing Agreement →