Your specs are product IP.We treat them that way.

CrystalSpec is designed for teams that put sensitive product intent, implementation detail, and AI-assisted decisions in one place. This page summarizes the privacy and security measures behind that workflow, including on-premise deployment options and support for custom AI.

Privacy posture

AI training

No customer-content training

AI retention

Zero-retention provider routes

Company controls

ISO 27001 certified

Human gate

Every AI edit reviewed

Provider capabilities and terms are reviewed as routing changes. Where an AI request includes Customer Content, the route is selected for no-training and zero-retention handling.

The practical safeguards

AI requests are handled under no-training terms

CrystalSpec's AI features send only the context needed for the requested action. Customer prompts, project context, responses, and proposed actions are routed to AI providers and endpoints selected for zero data retention and no training.

Human approval stays in front of every AI edit

AI can draft, analyze, and propose changes, but it cannot silently rewrite your project. Proposed create, update, and delete actions wait for review before they become part of the spec.

Access follows the same project permissions

Users and integrations operate within the roles, teams, projects, and revisions they are allowed to access. API tokens are scoped, protected, and rate-limited.

Deployment can match your environment

Enterprise teams can discuss private deployment, data residency, procurement, and security review needs with CrystalSpec before rollout.

Useful AI, constrained by design.

CrystalSpec uses AI to draft and analyze structured specs, not to build a private training corpus out of your workspace. The model receives a bounded prompt, returns a proposed result, and humans decide what lands. For enterprise environments, CrystalSpec can route AI work through customer-approved providers or models.

OpenRouter ZDR documentation
  • No Customer Content is used to train CrystalSpec-owned models.
  • AI providers are selected for zero data retention and no-training handling for Customer Content.
  • Structured-output schemas constrain what the model is asked to return.
  • Enterprise customers can use approved custom AI providers or models.
  • Provider failures are handled server-side without exposing raw provider errors or credentials.
  • AI usage is tracked for quota and operations without turning customer specs into training data.

Need enterprise controls?

If your team needs private deployment, data residency review, custom AI, security questionnaires, or procurement support, contact us at support@crystalspec.com.

Contact enterprise support

Private deployments for stricter environments

Some teams cannot send product IP through a standard SaaS path. CrystalSpec can support on-premise deployments and custom AI setups when your organization needs tighter control over where data, models, and integrations run.

On-premise and private-environment deployments are available for organizations with strict data residency, network, or procurement requirements.

Custom AI routing can use customer-approved providers, private endpoints, or selected models instead of the standard hosted AI path.

Deployment architecture, identity, storage, AI routing, and operational controls can be reviewed with your security team before rollout.

ORGANIZING GROUP SRL is ISO 27001 certified

Governance that can be audited.

ORGANIZING GROUP SRL is ISO 27001 certified.
Customer Content is processed to provide and secure the service.
Subprocessors are reviewed for purpose, data handling, and transfer basis.
Billing, account, security, and operational records follow defined retention periods.

Bring your security requirements to the table.

Share your deployment constraints, preferred AI provider, and data handling requirements. We can walk through the right CrystalSpec setup before your team commits.