Knowledge Base Security & Account

Security & Account Settings — Complete Guide

Last updated: February 2026 · 8 min read

Overview

FuriosaCRM is built with security at every layer. From encrypted data storage to isolated multi-tenant databases, every design decision prioritizes the protection of your data and your customers' data. This guide covers the security features available to you, how to configure them, and the underlying architecture that keeps your account safe.

We follow industry best practices including data encryption at rest and in transit, strict input validation, CSRF protection on all forms, Redis-based rate limiting to prevent abuse, and role-based access control. All infrastructure runs on Hetzner Cloud in the EU (Helsinki region) and is managed with strict access controls and regular security audits.

Security is a shared responsibility. While FuriosaCRM provides robust security infrastructure, you also play a critical role by setting strong passwords, enabling two-factor authentication, and following the best practices outlined in this guide.

Two-Factor Authentication

Two-factor authentication (2FA) adds a second verification step beyond your password when logging in. Even if someone obtains your password, they cannot access your account without the second factor. FuriosaCRM supports two 2FA methods: Email OTP and SMS OTP.

Email OTP sends a one-time password to your registered email address each time you log in. After entering your username and password, you are prompted to enter the 6-digit code sent to your email. The code expires after 10 minutes. This method is free and does not require any additional setup beyond having a valid email address on file.

SMS OTP sends a one-time password to your registered phone number via text message. This requires a valid mobile phone number in your account settings. SMS OTP is slightly more convenient than email as text messages typically arrive faster, but it requires SMS credits if enabled platform-wide.

app.furiosacrm.com/admin/account-settings
Two-Factor Authentication
Add an extra layer of security to your account by requiring a verification code when you log in.
Email Verification
Receive a 6-digit code via email on each login
SMS Verification
Receive a 6-digit code via SMS on each login
Status: Email 2FA is enabled. Your account requires email verification on every login.

To enable 2FA, go to Account Settings (accessible from the user menu at the bottom of the sidebar) and toggle on your preferred verification method. You can enable both methods simultaneously, and FuriosaCRM will let you choose which one to use at login time. We strongly recommend enabling at least one 2FA method for all accounts.

Tip: Email OTP is the most reliable 2FA method since it does not depend on mobile network coverage. If you frequently travel or have unreliable mobile service, use email verification as your primary 2FA method.

Password Management

Passwords in FuriosaCRM are hashed using bcrypt (PHP's PASSWORD_DEFAULT algorithm) before storage. This means even FuriosaCRM administrators cannot see your password — it is stored as an irreversible hash. When you log in, your input is hashed and compared to the stored hash, never compared in plain text.

To change your password, go to Account Settings and use the password change section. You will need to enter your current password for verification, then your new password twice. Passwords must be at least 8 characters long. For maximum security, use a password that is at least 12 characters and includes a mix of uppercase letters, lowercase letters, numbers, and symbols.

If you forget your password, use the Forgot Password link on the login page. Enter your email address and you will receive a time-limited reset link. The link expires after 1 hour and can only be used once. After clicking the link, you will be prompted to create a new password.

Important: Never share your password with anyone, including FuriosaCRM support staff. Our team will never ask for your password. If someone contacts you claiming to be from FuriosaCRM and asks for your credentials, it is a phishing attempt.

Session Security

FuriosaCRM uses PHP session management with secure configuration. Sessions are stored server-side with only a session identifier cookie sent to your browser. The session cookie is marked HttpOnly (preventing JavaScript access), Secure (only transmitted over HTTPS), and SameSite=Strict (preventing cross-site request forgery).

Sessions automatically expire after 2 hours of inactivity. If you close your browser and return within 2 hours, you will still be logged in. After expiry, you will be redirected to the login page. For security-sensitive accounts, we recommend logging out explicitly when you are done working, rather than relying on session timeout.

Each login session stores user identification data including your user ID, display name, email, role, parent ID (for child accounts), and permissions. If you suspect unauthorized access, change your password immediately, which invalidates all existing sessions by regenerating the session identifier.

Data Encryption

FuriosaCRM encrypts sensitive data at multiple levels:

  • In transit: All connections between your browser and FuriosaCRM use TLS 1.2+ encryption via HTTPS. This is enforced at the Cloudflare edge (Full Strict SSL mode) and cannot be bypassed. Internal service-to-service communication on the private network also uses encrypted channels where applicable.
  • At rest: Database servers use encrypted storage volumes. Daily backups are encrypted before being transferred to the offsite storage box.
  • Application-level: Highly sensitive fields like API tokens, OAuth tokens (for ad platform integrations), and webhook secrets are encrypted using AES-256-CBC with a per-installation encryption key before being stored in the database. This means even if the database were compromised, these values would not be readable.

Password hashing (bcrypt) is separate from encryption. Passwords are never encrypted — they are hashed, which is a one-way operation. This is the gold standard for password storage as it means passwords cannot be "decrypted," only verified by comparing hashes.

Multi-Tenant Isolation

FuriosaCRM uses a multi-tenant architecture with database-per-tenant isolation. When a new Client Admin account is created, a dedicated database is provisioned: client_{user_id}. All of that client's data — audience contacts, submissions, campaign data — is stored in their own database, completely separate from other clients.

This isolation provides several security guarantees. A software bug in one client's query cannot accidentally expose another client's data. Database-level access controls ensure each client connection can only reach its own database. Performance is also isolated: a client running a large import does not slow down queries for other clients.

Within a client's database, further isolation exists at the table level. Each page has its own submissions_{page_id} table, and each audience has its own audience_{id} table. This granular isolation means that even within a single client account, data from different pages and audiences is physically separated.

Tip: Multi-tenant isolation is automatically applied. You do not need to configure anything. Your data is isolated from the moment you create your account.

CSRF Protection

Cross-Site Request Forgery (CSRF) is an attack where a malicious website tricks your browser into making unintended requests to FuriosaCRM while you are logged in. FuriosaCRM prevents this with token-based CSRF protection on every form submission and AJAX request.

Every page that contains a form includes a hidden CSRF token generated by the generateCSRFToken() function. When the form is submitted, the token is validated by validateCSRFToken() on the server. If the token is missing, expired, or does not match the session, the request is rejected with an error. This ensures that only forms rendered by FuriosaCRM can trigger state-changing actions.

For AJAX requests (used extensively in the page builder, audience management, and campaign tools), the CSRF token is sent as a POST parameter alongside the action identifier. The token is regenerated periodically to prevent reuse. If you encounter a "Token expired" error, simply refresh the page to get a new token.

Rate Limiting

FuriosaCRM uses Redis-based rate limiting to protect against brute-force attacks, credential stuffing, and API abuse. Rate limits are applied at multiple levels:

  • Login attempts: After 5 failed login attempts from the same IP address within 15 minutes, further attempts are temporarily blocked. This prevents automated password guessing.
  • API requests: API endpoints are limited to 60 requests per minute per API key. Exceeding this returns a 429 (Too Many Requests) response with a Retry-After header.
  • Form submissions: Public-facing signup forms are rate-limited to prevent spam submissions. The limits are generous enough for legitimate traffic but block automated bots.
  • Password reset: Password reset requests are limited to 3 per email per hour to prevent abuse.

Rate limiting is implemented using Redis's atomic increment and expiry operations, ensuring accuracy even under high concurrency. If you encounter rate limiting during legitimate use, wait for the indicated period and try again. Contact support if you believe the limits are too restrictive for your use case.

Account Settings

Your account settings are accessible from the user menu at the bottom of the admin sidebar. Click your name to open the menu, then select Account Settings. This page lets you update your personal information and security preferences.

app.furiosacrm.com/admin/account-settings
Account Settings
Profile Information
Display Name
Sarah Kingston
Email Address
sarah@acmeevents.com
Phone Number
+44 7911 123 456
Change Password
Current Password
Enter current password
New Password
Enter new password
Confirm New Password
Confirm new password

Available settings include:

  • Display Name: How your name appears throughout the platform, in activity logs, and in campaign sender names.
  • Email Address: Your login email and the address used for notifications, password resets, and 2FA codes.
  • Phone Number: Used for SMS 2FA and, if configured, as a sender identity for SMS campaigns.
  • Password: Change your password at any time. Requires your current password for verification.
  • Two-Factor Authentication: Enable or disable Email OTP and SMS OTP methods.

Data Privacy

FuriosaCRM is committed to GDPR compliance and data privacy. All personal data is processed and stored within the EU (Hetzner Cloud, Helsinki data center). We act as a data processor on behalf of our customers (data controllers), processing audience data only as instructed by you.

You have full control over the data stored in your FuriosaCRM account. You can export all audience data at any time using the built-in export tools (CSV format). You can delete individual contacts, entire audiences, or request a full account deletion by contacting support.

For GDPR compliance with your own users, FuriosaCRM provides the Privacy Builder tool (see the Tools guide) to generate privacy policy documents, and the page builder includes consent checkboxes that can be added to signup forms. All form submissions record the timestamp and IP address of consent for your records.

If you receive a data subject access request (DSAR) from one of your contacts, you can search for their data across all your audiences, export it as a CSV, and provide it to them. If they request deletion, you can remove their data from all audiences with a single action. FuriosaCRM's multi-tenant architecture ensures that deleting a contact from your account has no effect on other accounts, even if the same email address exists elsewhere.

Important: You are responsible for ensuring your own data collection practices comply with GDPR, PECR, and other applicable regulations. FuriosaCRM provides the tools and infrastructure, but legal compliance depends on how you collect, store, and use personal data.

Related Articles

Team Management

Configure role-based access, manage user permissions, and understand the parent-child account hierarchy.

API & Developer Guide

Learn about API key authentication, token encryption, and rate limiting for developer integrations.

Platform Tools

Use the Privacy Builder to generate GDPR-compliant privacy policy documents for your signup pages.