Protect access
Authentication, scoped permissions and request protections reduce avoidable exposure.
CrewByte trust centre
A clear view of the controls built into CrewByte, the choices customers own, and the assurances we do—and do not—make today.
Authentication, scoped permissions and request protections reduce avoidable exposure.
Deployment-specific facts and unverified assurances are never presented as universal guarantees.
CrewByte protects the platform; customers configure access and govern their workforce use.
Controls and service architecture evolve. Contracted terms and evidence supplied for a specific review take precedence over this public overview.
An honest starting point
CrewByte is built with technical and organisational safeguards intended to support secure workforce operations. Security is an ongoing practice, not a one-time claim. This Trust Centre separates controls visible in the product and codebase from choices made by customers or during deployment.
We do not currently claim SOC 2, ISO 27001, Cyber Essentials, PCI certification, an independent penetration-test attestation, a 24/7 security operations centre or any other certification that is not expressly evidenced in a signed customer assurance pack.
Implemented controls
Password hashing, secure-session settings, CSRF protection, permission checks, workspace scoping, selected activity records and credential lifecycle controls.
Customer-configured
User accounts, roles, location access, connected services, uploaded content, workforce notices, lawful bases and day-to-day data quality.
Contract or deployment
Hosting region, infrastructure providers, backup arrangements, support targets, service levels, recovery objectives and any negotiated assurance rights.
Not claimed
Certifications, universal data residency, measured uptime, broad encryption-at-rest coverage, continuous monitoring or a complete immutable audit log.
Need evidence for procurement? Tell us the scope of your review. We will distinguish current evidence, planned controls and facts that depend on the customer deployment.
Identity and session protection
Passwords are transformed with PHP password hashing and are checked using its password-verification mechanism; plaintext passwords are not used for authentication comparisons.
Sessions use HttpOnly and SameSite cookie settings, add Secure on HTTPS, and regenerate identifiers at important authentication transitions.
Certain risk signals can trigger a time-limited email PIN with attempt limits. This is an adaptive check and is not described as universal multi-factor authentication.
Customers remain responsible for protecting inboxes and devices, choosing strong unique passwords, removing dormant users and promptly reporting suspected account compromise.
Least privilege in context
CrewByte supports role permissions plus workspace, company and location checks. These controls are designed to keep people inside the parts of an organisation relevant to their responsibilities. Access decisions still depend on the roles and memberships configured by each customer.
Protected actions check authentication and relevant permissions. Service code scopes workspace and location operations to the authorised context where the feature requires it.
Workspace owners decide who is invited, what role they receive, which locations they can reach and when that access should be changed or removed.
No public page can prove that every customer has configured least privilege correctly. Owners should review privileged roles and location membership regularly.
Web application safeguards
Repository configuration shows how supported endpoints are intended to be deployed; it is not proof that every live environment is configured identically. Environment verification forms part of deployment and customer-specific assurance.
Developer security
CrewByte’s Developer Hub includes controls for generating scoped API credentials, displaying a new secret once, storing a keyed one-way representation, setting expiry, rotating a key and revoking access. Webhook signing secrets can be protected with authenticated AES-256-GCM encryption when the required server key is configured.
Developer features remain staged. Credential-management controls do not, by themselves, mean every API, webhook event or integration shown in the Hub is generally available. Preview access and documentation determine what can be used.
Grant only the permissions an integration needs and keep test and production credentials separate.
Never place API or webhook secrets in browser code, public repositories, URLs or support messages.
Replace exposed credentials immediately and remove integrations that no longer have a business purpose.
Investigation and accountability
CrewByte records selected events that can support troubleshooting and investigation, including login-related events, Hub administration, Developer Hub actions and time-clock edits. Access to those records is limited by the relevant portal and permission context.
These records should not be interpreted as a complete, immutable history of every view, edit, export or decision across the platform. Customers that need a particular audit scope or retention period should document it during procurement rather than assume it is included.
Privacy and governance
CrewByte normally acts as a processor for workforce records that a customer places in its workspace, and as a controller for its own account administration, security, billing, support, website and programme records. The exact role follows the purpose of the processing.
Our privacy policy explains how personal data is handled, while our GDPR readiness page explains processor commitments, rights support, transfers, retention and the customer’s responsibilities. GDPR readiness is not a product certification and depends on lawful use, configuration, contracts and organisational processes.
Supply chain transparency
Depending on the services a customer enables, CrewByte may rely on infrastructure, database, backup, email, billing and optional identity or integration providers. Stripe supports billing, and Google or Apple may be used when an organisation enables the corresponding sign-in option. Other providers are deployment-specific.
We do not publish a universal UK-only or EU-only data-residency promise because location can depend on the agreed deployment and providers in use. Where a restricted transfer requires a safeguard, the applicable data-processing terms should identify the relevant mechanism and supplementary measures.
Current deployment facts
Ask for the current provider, hosting-region and transfer information for the CrewByte services your organisation plans to use.
Customer-controlled content
Relevant upload flows apply file-size and permitted-extension rules, and downloads are restricted through permission and organisation context. These are useful safeguards, but they are not the same as antivirus or malware scanning, and CrewByte does not currently make a public malware-scanning claim.
Customers should upload only information needed for the enabled workforce purpose, restrict sensitive documents to appropriate roles, avoid placing secrets in notes or filenames, and remove content that is no longer required. Leave reasons, compliance records and documents can contain sensitive personal data and need additional care.
Report and respond
Report a suspected CrewByte security issue to support@crewbyte.io. Include the affected service, a clear reproduction or timeline and a safe way to contact you. Do not access another customer’s data, disrupt the service, publish exploitable details before coordination or include passwords, API secrets or unnecessary personal data.
We will route credible reports for assessment, take proportionate containment and remediation steps, and communicate with affected customers as appropriate. Where CrewByte acts as a processor and becomes aware of a personal data breach affecting customer-controlled data, notification duties are governed by the DPA and applicable law.
This public page does not promise a 24/7 response, a fixed vulnerability bounty, a universal incident-notification deadline or a regulator-notification service. Contractual and legal duties remain controlling.
Availability without invented numbers
CrewByte is designed to support day-to-day workforce operations, but this Trust Centre does not publish an unverified uptime percentage, recovery-time objective, recovery-point objective or tested-backup guarantee. Those claims require monitoring evidence, documented procedures and an agreed service scope.
Any plan-specific availability commitment, maintenance notice process, support window, backup arrangement or recovery objective belongs in the applicable Order or service documentation. Customers should keep proportionate business-continuity procedures for safety-critical or legally time-sensitive operations.
A secure service is shared work
Security and procurement
Tell us which product, deployment and control your review concerns. Please never send a live password, API key, webhook secret or unnecessary personal data.