Subprocessors

1. Introduction

CrewForge is a cloud-based HRMS and workforce management platform. To deliver a reliable, secure, and performant service, we rely on a small number of carefully vetted third parties — known as subprocessors — that may process customer data on our behalf.

A subprocessor is any external company we engage to handle infrastructure or processing tasks that involve customer data, such as hosting our application, storing files, or delivering notifications. Using established providers lets us offer enterprise-grade reliability and security without rebuilding undifferentiated infrastructure ourselves.

Protecting customer data is core to how we operate. When selecting subprocessors, we are guided by a few simple principles:

Necessity — we only engage a subprocessor when it is genuinely required to operate or improve the service.
Trustworthiness — we favor providers with strong, independently audited security and privacy track records.
Data minimization — subprocessors receive only the data they need to perform their function, and nothing more.
Accountability — every subprocessor is bound by contractual obligations to protect the data they process.

2. Subprocessor Management Policy

We apply a consistent process before any subprocessor is allowed to handle customer data, and we continue to review them throughout the relationship.

Vendor selection

New subprocessors are proposed only when there is a clear operational need. We evaluate each candidate on its reliability, security posture, compliance certifications, data-handling practices, and overall fit with our customers' expectations.

Security evaluation

Before onboarding, we assess a provider's security controls — including their certifications and attestations (such as SOC 2, ISO 27001, or equivalent), encryption practices, access controls, and incident-response capabilities — to confirm they meet our standards.

Confidentiality requirements

Subprocessors are bound by contractual confidentiality and data-protection obligations. These commitments require them to protect customer data, use it only for the agreed purposes, and apply appropriate technical and organizational safeguards.

Data minimization

We limit the categories and volume of data shared with each subprocessor to what is strictly necessary for them to perform their service. We avoid sharing sensitive information where it is not required.

Least privilege access

Access to systems and data is granted on a least-privilege basis. Subprocessors and our own personnel receive only the minimum access needed to carry out their responsibilities, and that access is reviewed periodically.

Ongoing monitoring and review

Our use of subprocessors is reviewed on a recurring basis. We monitor their continued compliance, reassess their security posture, and update this page when our list of subprocessors changes.

3. Current Subprocessors

The following subprocessors are currently engaged by CrewForge:

All AWS services above are operated by Amazon Web Services, Inc. EC2, S3, and SNS are individual AWS services and are not separate vendors.

Vendor	Service	Purpose	Categories of Data Processed	Website
Amazon Web Services (AWS) Cloud infrastructure provider	Amazon EC2	Application hosting and compute	Processes application data in transit and during operation, including user accounts, employee records, worklogs, attendance, leave requests, tasks and projects, support tickets, CRM data, and operational/system logs.	aws.amazon.com
Amazon S3	File storage and backups	Uploaded documents and files, generated exports, and system backups of the data categories listed above.
Amazon SNS	Notification delivery	Limited account and event metadata needed to deliver notifications and alerts (e.g., recipient identifiers and message content).

4. Security and Data Protection

We combine our own controls with the security capabilities of our subprocessors to protect customer data throughout its lifecycle.

Encryption in transit — data exchanged between users, our application, and our subprocessors is encrypted using industry-standard TLS.
Encryption at rest — stored data and backups are encrypted at rest where the underlying service supports it, including data held in Amazon S3 and other AWS storage.
Access controls — access to production systems and customer data is restricted on a least-privilege, role-based basis and granted only to authorized personnel.
Authentication measures — administrative and infrastructure access is protected by strong authentication, and we encourage multi-factor authentication for account access.
Infrastructure monitoring — we monitor our infrastructure and application for availability, anomalies, and potential security events, and maintain logging to support investigation.
Backup and disaster recovery — customer data is backed up regularly, and we maintain processes designed to restore service and data in the event of disruption.
Protection of customer information — as a multi-tenant platform, CrewForge is designed to keep each tenant's data logically separated, and we apply technical and organizational measures to safeguard it.

5. Changes to Subprocessors

As CrewForge grows, our list of subprocessors may change — we may add new providers or replace existing ones to improve the service. When that happens, we will update this page to reflect any material change to our subprocessors.

We encourage customers to review this page periodically. If you have questions about a current or prospective subprocessor, or would like to learn more about how your data is handled, please reach out using the contact details below.

6. Contact Information

We're happy to answer questions about our subprocessors, privacy practices, and security program.

Mailing address: CrewForge, Bangalore, India. (Contact details above are placeholders — replace with your published addresses before going live.)