Crono reads your threads and sends mail from your address. That only works if it is secure by default. Here is how we protect your data.
Security is a product requirement, not an afterthought. Crono asks for the narrowest access it needs, isolates every customer's data, encrypts it end to end, and logs the sensitive actions the agent takes. The sections below describe the controls in plain terms; deeper documentation is available to customers under NDA.
Each customer's data is logically isolated from every other customer's. One account's threads, calendars, and settings are never visible to another. Coworker availability lookups inside an organization are mediated by permissions and recorded in an audit log.
Data is encrypted in transit with TLS 1.3 and at rest with AES-256. Connected-account credentials are encrypted with managed keys and are never exposed in plaintext to our application logs.
Access to production systems follows least privilege, is individually authenticated, requires multi-factor authentication, and is logged. Every cross-user calendar lookup is written to an audit log that Team admins can review. Internal access to customer data is restricted to what is needed to operate and support the Service.
Crono requests calendar-only scopes and does not read the bodies of your meeting events. Message bodies are never written to system logs; logs hold request IDs, response codes, and latency. We keep only what is needed to run the agent and to keep it secure.
Crono uses language models to read threads and draft replies. We do not train foundation models on your data, and one customer's content is never used to improve another's agent. Our inference subprocessors are contractually barred from training on or retaining your content beyond returning a response.
Crono runs on established cloud infrastructure with managed networking and key management. We keep encrypted backups, monitor for errors and abuse, and follow a documented incident-response process. Backups rotate out within 35 days.
We support GDPR, UK GDPR, and CCPA/CPRA obligations, offer a Data Processing Addendum incorporating the EU Standard Contractual Clauses, and publish our subprocessor list. A SOC 2 Type II program is in progress; contact us for current status and to receive reports as they become available.
If you find a vulnerability, email security@cronohq.com. We acknowledge reports the same day, keep you updated, and will credit researchers who report in good faith. Please do not access other people's data or degrade the Service while testing, and give us reasonable time to fix issues before disclosing them.
Security questions, reviews, and reports: security@cronohq.com.