1. Introduction

CrewForge is a multi-tenant ERP and workforce-management platform for software companies. Operating it means processing personal data — about a customer's own team, their clients, and their business. We are committed to handling that data lawfully, transparently, and securely, and to helping our customers meet their own obligations under the DPDP Act.

This statement is written in plain language and is intended to be read alongside our Privacy Policy, Security page, and Subprocessors list. Where this page describes a step you must take to exercise a right, we tell you exactly how to do it.

2. Our Role Under the DPDP Act

The DPDP Act distinguishes between a Data Fiduciary (who decides why and how personal data is processed) and a Data Processor (who processes data on a Fiduciary's behalf). CrewForge plays both roles, depending on the data:

3. Personal Data the Platform Handles

The categories below reflect what CrewForge can store on behalf of a customer. The exact data present in any workspace depends on which modules that customer uses and what they choose to enter.

4. Your Rights as a Data Principal

Under the DPDP Act you have rights over your personal data. Because most data in CrewForge is held on behalf of our customers, the route to exercise a right depends on who controls your data:

If your data was added by a CrewForge customer (for example, your employer), that organisation is the Data Fiduciary — please contact them first. We will support them in fulfilling your request.
If your data is account or billing data we control, or you cannot reach the relevant customer, contact our Grievance Officer using the details below.

The rights available to you include:

Access — obtain a summary of the personal data we process about you and how it is used.
Correction — have inaccurate or incomplete data corrected or updated.
Erasure — request deletion of your personal data where it is no longer needed for the purpose it was collected and no law requires us to keep it.
Grievance redressal — raise a concern about how your data is handled and receive a response.
Nomination — nominate another person to exercise your rights in the event of death or incapacity.
Withdraw consent — where processing relies on your consent, withdraw it; this does not affect processing already carried out.

We will acknowledge and respond to rights and grievance requests within 90 days, and usually much sooner. We may need to verify your identity before acting on a request.

5. How We Protect Your Data

We combine our own controls with the capabilities of trusted infrastructure providers to safeguard data throughout its lifecycle:

Tenant isolation — every customer's data lives in its own dedicated database on its own subdomain, never sharing storage with another customer.
Encryption in transit — data exchanged between users, our application, and our providers is encrypted using industry-standard TLS.
Encryption at rest — stored data and backups are encrypted at rest where the underlying service supports it, including data and files held in Amazon S3 and other AWS storage.
Access controls — access follows a least-privilege, role-based model, and especially sensitive fields (such as bank and identity details) are gated behind a dedicated permission.
Authentication — administrative and infrastructure access is protected by strong authentication.
Monitoring & audit trails — we log key actions and monitor our systems for anomalies and potential security events; deletions are soft by default, so history survives.
Backups — customer data is backed up regularly, with processes designed to restore service after disruption.

For a fuller picture of our security model, see our Security page. We continue to strengthen these safeguards over time as part of our DPDP readiness programme.

6. Subprocessors & Cross-Border Transfers

We rely on a small number of carefully vetted third-party providers to operate the service. Each is listed, with the data they handle, on our Subprocessors page. Some of these providers may process or store data on infrastructure outside India; we engage them under contractual data-protection commitments and in line with applicable law.

7. Data Retention

We retain personal data for as long as a customer's account is active and the data is needed to provide the service, and thereafter only as required to meet legal, tax, or accounting obligations. When data is no longer needed for these purposes, we take steps to delete or anonymise it. Customers control the data in their own workspaces and may delete records at any time.

8. Personal-Data Breaches

If a personal-data breach occurs, we are committed to acting promptly: notifying affected customers and, where we are the Data Fiduciary, the Data Protection Board of India and affected individuals, consistent with the timelines under the DPDP Rules. Where we act as a Data Processor, we will inform the affected customer without undue delay so they can meet their own notification obligations.

9. Grievance Redressal & Contact

We have designated a Grievance Officer to receive and address questions, requests, and complaints about how we handle personal data. If you are not satisfied with our response, you may escalate to the Data Protection Board of India.

10. For Our Customers (Data Fiduciaries)

If you use CrewForge to process personal data about your own employees or clients, you are the Data Fiduciary for that data and CrewForge acts as your Data Processor. A Data Processing Agreement (DPA) is available on request, and our security controls and sub-processor transparency are designed to help you meet your obligations under the DPDP Act. Please reach out using the contact details above.

Our role	Which data	What it means for you
Data Processor	Everything a customer loads into their workspace — employee records, client and contact details, CRM leads, support tickets, worklogs, payroll, and uploaded documents.	The customer (your employer or the business that engaged you) is the Data Fiduciary. We process this data on their instructions. If you are an individual whose data was added by a CrewForge customer, please direct rights requests to that organisation first; we will assist them in responding.
Data Fiduciary	Account & billing data of the business that signs up — the account holder's name and email, business legal name, GSTIN, and billing address.	For this data we are directly responsible: we provide notice, honour your rights, retain it only as needed, and handle any breach in line with the DPDP Act.

Whose data	Categories	Purpose
Employees & team members	Identity & contact (name, work and personal email, phone, address); employment details (role, joining/exit dates, manager); payroll & financial (salary, bank details); government identifiers (PAN, and where entered, Aadhaar); attendance & worklog data, which can include device and approximate location when location capture is enabled.	HR operations, time tracking, payroll, and workforce management for the customer.
Clients & contacts	Company and contact-person details (name, email, phone, address), tax identifiers (GSTIN), and support-portal access data.	Managing client relationships, projects, billing, and the support portal.
Sales leads	Prospect company and contact details, deal information, and notes.	CRM and sales-pipeline management.
Account holders	Sign-up name and email, business legal name, GSTIN, and billing address.	Providing, billing, and supporting the CrewForge service.
All users	Usage and system data — login timestamps, IP address at sign-in, and operational logs.	Security, troubleshooting, and maintaining a reliable service.

Data Protection & the DPDP Act