Security and trust

Practical controls, stated without inflated claims.

This page summarizes CrewLog’s product-level security and data practices. It is not a certification, audit report, or guarantee against every possible risk.

Workspace isolation

Each company operates in a private workspace. Application queries scope customer and workforce records to that workspace rather than sharing records across tenants.

Authentication choices

Employees use email and password by default, with optional Google Sign-In or device passkeys. Passwords are stored as salted hashes rather than plaintext.

Roles and administrative access

Worker, manager, administrator, and internal support capabilities are separated. Sensitive administrative actions are recorded in workspace or platform audit history.

Integration credentials

QuickBooks access and refresh tokens are encrypted with authenticated encryption before database storage. OAuth state and webhook signatures are validated by the integration workflow.

Data ownership and deletion

Customers own the records they enter. Workspace administrators can request deletion and receive an export through the documented account workflow.

Operational boundaries

CrewLog supports time-record review but does not promise that software alone establishes labor-law, payroll, tax, or regulatory compliance.

Report a security concern

Send a clear description and reproduction details to [email protected]. Do not include customer data or exploit a suspected issue beyond what is necessary to demonstrate it.