Security

CrewSyncer connects to your Jobber account to show crew availability. That access is a responsibility we take seriously. This page describes the technical and organizational measures we use to protect your data.

Read-only by design

We request the minimum Jobber permissions needed to read your schedule — clients, jobs, scheduled items, and users — and no write access. CrewSyncer cannot modify, delete, or create anything in your Jobber account. We display availability; we do not change your data.

Encryption

• In transit: all traffic is served over HTTPS (TLS), enforced everywhere.
• At rest: your Jobber OAuth tokens are encrypted with AES-256-GCM before they are stored. They are decrypted only in memory, only to call the Jobber API on your behalf.

We never log your tokens

Access and refresh tokens are never written to logs, in any environment. When you disconnect the integration, the stored tokens are revoked and deleted.

Data minimization

We persist as little as possible. Your availability matrix is computed from live Jobber data and cached only briefly (about 60–120 seconds) before it expires. We do notkeep a permanent archive of your scheduling data, job details, or your end customers' personal information. See our Privacy Policy for the full breakdown of what we store.

Webhook integrity

Every incoming webhook is signature-verified before any processing. Requests that fail verification are rejected outright — no data is read or written on an unverified request.

Infrastructure & sub-processors

CrewSyncer runs on Vercel, with data stored in US-region services. Our sub-processors (including Vercel, Neon, Upstash, Clerk, and Stripe) are bound to use your data only to provide their service to us. The current list is maintained in our Privacy Policy.

Reporting a vulnerability

If you believe you've found a security issue, please email support@crewsyncer.com. We welcome responsible disclosure and will respond promptly.