Your consultant data is sensitive. We treat it that way.
Crewpathio is designed for professional services firms whose consultant profiles contain performance records, salary-adjacent data, and client relationship history. Our security posture reflects that sensitivity.
Encryption, access, and audit at every layer.
Encryption at rest and in transit
All consultant profile data and engagement records are encrypted at rest using AES-256. All data in transit uses TLS 1.2 or higher. Encryption keys are managed via AWS KMS with automatic rotation.
Role-based access controls
Access to consultant data is controlled by role (resource manager, executive, read-only analyst). Each role has explicit permission boundaries — analysts cannot see full consultant profiles, only utilization aggregates.
Single Sign-On (SSO / SAML)
SAML 2.0 SSO integration with major identity providers including Okta and Microsoft Entra ID. Available on Scale plan. Enforces your organization's MFA and session policies automatically.
Immutable audit log
Every access to consultant profiles, every match query, and every configuration change is logged in an immutable audit trail. Logs are retained for 90 days by default, configurable to 2 years on Scale plan.
Data residency (US)
All data is stored and processed in AWS us-east-1 (Virginia). No cross-border data transfer. For Scale plan customers requiring alternative AWS regions, custom deployment agreements are available.
Data retention and deletion
On account termination, all consultant data is purged within 30 days via verified deletion. Customers can request deletion confirmation documentation. Pilot data is purged automatically if pilot does not convert.
Built on AWS with defense-in-depth.
Crewpathio runs on Amazon Web Services with a multi-layer security architecture. Network segmentation isolates consultant data from the web application layer. The graph computation engine runs in a private subnet with no public internet access — all communication is internal.
We use AWS Shield Standard for DDoS protection, WAF rules to block common web attack patterns, and VPC Flow Logs for all network traffic monitoring.
Request Security DocumentationEdge / CDN layer
AWS CloudFront + WAF — all public traffic
Application layer
Public subnet (VPC) — REST API only
Scoring engine
Private subnet — no public internet access
Data layer
RDS + graph DB in isolated private subnet, AES-256 encrypted
Audit logs
CloudTrail + S3 immutable log archive, 90-day default retention
Designed with SOC 2 controls. Not yet certified.
Crewpathio is an early-stage company. We have designed our infrastructure and access controls to align with SOC 2 Type II requirements — encryption at rest and in transit, immutable audit logs, role-based access, and documented incident response. We have not yet completed a formal SOC 2 audit. If your firm's procurement process requires a completed SOC 2 report, contact us — we can provide a detailed security questionnaire and discuss your timeline.
Found a vulnerability? Tell us.
We take all security reports seriously. If you discover a potential vulnerability in Crewpathio, please contact us at [email protected] with a description of the issue. We will acknowledge receipt within 48 hours and keep you informed as we investigate. We request you do not publicly disclose the issue until we have had the opportunity to address it.
Report a VulnerabilityNeed full security documentation?
We provide a security questionnaire pack for enterprise procurement teams on request. Contact us and we will route to our security team.