Customer Responsibilities
Security is a shared responsibility between Crew and our customers. While we provide a secure platform, you are responsible for how you configure and use the service. This page outlines your key responsibilities.Shared Responsibility Model
Account Security
Credential Management
You are responsible for:- Securing API keys — Never expose in client-side code or public repositories
- Rotating credentials — Change API keys regularly (recommended: 90 days)
- Limiting access — Use scoped API keys with minimal permissions
- Password policies — Enforce strong passwords for team members
- MFA enrollment — Enable MFA for all users (required for Enterprise)
Best Practices
Credential Compromise
If you suspect credentials are compromised:- Immediately revoke the affected credentials
- Generate new credentials
- Update all applications using those credentials
- Review audit logs for unauthorized access
- Report to security@usecrew.ai if Crew systems may be affected
Access Control
User Management
You are responsible for:- Adding users appropriately with correct roles
- Removing users promptly when they leave
- Regular access reviews (recommended: quarterly)
- Role assignment based on job requirements
Role Assignment Guidelines
| Role | Should Have | Examples |
|---|---|---|
| Owner | Critical operations only | Account deletion, billing |
| Admin | Day-to-day management | Agent config, user management |
| Member | Operational tasks | Call review, knowledge updates |
| Viewer | Read-only needs | Analytics, monitoring |
Separation of Duties
Consider separating:- Production vs. development access
- Configuration vs. monitoring access
- Data access vs. administrative access
Data Protection
Classification
You are responsible for understanding what data flows through Crew:| Data Type | Your Classification | Handling Requirements |
|---|---|---|
| Customer calls | Your determination | Based on industry |
| Transcripts | Your determination | Based on content |
| Recordings | Your determination | Based on regulations |
Retention Configuration
Set appropriate retention periods:PII Considerations
If handling PII:- Configure PII redaction
- Set appropriate retention
- Document data flows
- Honor data subject requests
Compliance
Regulatory Compliance
You are responsible for:- Determining applicable regulations (HIPAA, GDPR, CCPA, etc.)
- Configuring Crew to meet those requirements
- Maintaining required documentation
- Conducting required assessments
Documentation
Maintain records of:- Security configurations
- Access control decisions
- Data processing activities
- Vendor assessments (including Crew)
Auditing
Regularly review:- User access and roles
- API key usage
- Audit logs
- Security settings
Integration Security
Webhook Security
When receiving webhooks:API Integration
When integrating with Crew:- Use HTTPS only
- Validate all responses
- Handle errors gracefully
- Don’t log sensitive data
Third-Party Integrations
When connecting external systems:- Assess security of connected systems
- Use minimal required permissions
- Encrypt stored credentials
- Monitor integration access
Monitoring and Response
Audit Log Review
Regularly review audit logs for:- Unexpected access patterns
- Failed authentication attempts
- Configuration changes
- Data export activities
Alerting
Configure alerts for:- Multiple failed login attempts
- Access from unusual locations
- Large data exports
- Configuration changes
Incident Response
Develop procedures for:- Detection — How you’ll identify security incidents
- Response — Immediate actions to contain impact
- Communication — Who to notify (including Crew if relevant)
- Recovery — Restoring normal operations
- Post-incident — Analysis and improvement
Application Security
Custom Integrations
If building integrations:- Follow secure coding practices
- Validate all inputs
- Handle credentials securely
- Keep dependencies updated
Code Node Security
When using Custom Code Nodes:- Don’t hardcode credentials (use secrets)
- Validate external API responses
- Handle errors appropriately
- Don’t log sensitive data
Training
Team Training
Ensure team members understand:- How to access Crew securely
- Data handling requirements
- Incident reporting procedures
- Their specific responsibilities
Documentation
Maintain internal documentation for:- Access request procedures
- Secure configuration standards
- Incident response playbooks
- Compliance requirements
Reporting Security Issues
To Crew
Report security concerns to:- Email: security@usecrew.ai
- Priority: Include severity assessment
- Details: Provide reproduction steps if applicable
Internal Reporting
Establish internal procedures for:- Reporting suspected incidents
- Escalation paths
- Documentation requirements
Checklist
Use this checklist for security reviews:Credential Management
Credential Management
- API keys stored securely (not in code)
- API keys scoped to minimal permissions
- Keys rotated within 90 days
- Unused keys revoked
User Access
User Access
- All users have appropriate roles
- No shared accounts
- MFA enabled for all users
- Recent access review completed
Data Protection
Data Protection
- Retention periods configured
- PII handling configured
- Recording settings appropriate
- Data classification documented
Monitoring
Monitoring
- Audit logs reviewed recently
- Alerts configured
- Incident response plan exists
- Contact information current
Integrations
Integrations
- Webhook signatures verified
- External system security assessed
- Integration credentials secured
- Minimal permissions granted
Support
For security-related questions:- General security: security@usecrew.ai
- Compliance questions: compliance@usecrew.ai
- Enterprise support: Your dedicated contact
Next Steps
- Security Overview — Platform security details
- Data Handling — Data processing information
- Healthcare Readiness — Healthcare considerations