diff --git a/backend/internal/api/routes/routes.go b/backend/internal/api/routes/routes.go
index 0a085c29..2d422f2b 100644
--- a/backend/internal/api/routes/routes.go
+++ b/backend/internal/api/routes/routes.go
@@ -122,6 +122,7 @@ func RegisterWithDeps(ctx context.Context, router *gin.Engine, db *gorm.DB, cfg
 		&models.DNSProviderCredential{}, // Multi-credential support (Phase 3)
 		&models.Plugin{},                // Phase 5: DNS provider plugins
 		&models.ManualChallenge{},       // Phase 1: Manual DNS challenges
+		&models.CrowdSecWhitelist{},     // Issue #939: CrowdSec IP whitelist management
 	); err != nil {
 		return fmt.Errorf("auto migrate: %w", err)
 	}
diff --git a/backend/internal/models/crowdsec_whitelist.go b/backend/internal/models/crowdsec_whitelist.go
new file mode 100644
index 00000000..c371d7dc
--- /dev/null
+++ b/backend/internal/models/crowdsec_whitelist.go
@@ -0,0 +1,13 @@
+package models
+
+import "time"
+
+// CrowdSecWhitelist represents a single IP or CIDR block that CrowdSec should never ban.
+type CrowdSecWhitelist struct {
+	ID        uint      `json:"-"          gorm:"primaryKey"`
+	UUID      string    `json:"uuid"       gorm:"uniqueIndex;not null"`
+	IPOrCIDR  string    `json:"ip_or_cidr" gorm:"not null;uniqueIndex"`
+	Reason    string    `json:"reason"     gorm:"not null;default:''"`
+	CreatedAt time.Time `json:"created_at"`
+	UpdatedAt time.Time `json:"updated_at"`
+}