Security & Compliance FAQ
Common questions from security teams, IT managers, and enterprise buyers about how CrewSynx handles data, compliance, and vulnerability management. Because CrewSynx is self-hosted, many of the answers are different from what you might expect from a SaaS product.
Last updated: 21 April 2026
Does CrewSynx store our data?
No. CrewSynx is a self-hosted product — you deploy it on your own server, VPS, or private cloud. Butterfly Instruments has zero access to any data processed inside your instance. You are the sole custodian of all employee records, attendance logs, project data, and messages stored in your installation.
Is CrewSynx SOC 2 certified?
SOC 2 is a certification for cloud service providers that store or process customer data on shared infrastructure. Because CrewSynx does not operate as a SaaS — we ship software for you to run — the SOC 2 framework does not apply to us in the traditional sense. The compliance obligations for your deployment environment (infrastructure, access controls, backups) rest with your organisation. If you require independent assurance of the application's security, we can provide a third-party penetration test report upon request.
Who is responsible for GDPR / data protection compliance?
Your organisation is the independent data controller for all personal data processed inside your CrewSynx instance. Butterfly Instruments is not a data processor in relation to that data — we never receive, access, or host it. You are responsible for ensuring your deployment meets applicable data protection laws (GDPR, UK GDPR, CCPA, etc.) in your jurisdiction.
What personal data does Butterfly Instruments hold about us?
The only personal data we hold is what you voluntarily provide when contacting us — typically your name, work email, and company name submitted through our pricing/contact form. This is used solely to respond to your inquiry. See our Privacy Policy for full details.
How are security vulnerabilities handled?
We maintain a responsible disclosure process. If you discover a security vulnerability in CrewSynx, please report it to contact@butterflyinstruments.com with details and steps to reproduce. We will acknowledge receipt within 2 business days, investigate, and release a patch for affected versions as quickly as possible. We ask that you do not publicly disclose findings until we have had reasonable time to address them.
Do you provide security patches for older versions?
We make security patches available for the Licensed Version covered by your agreement on a reasonable-efforts basis. Critical vulnerabilities are prioritised. Patches are distributed as version updates, and we notify license holders by email when a security-relevant update is available.
Can we run CrewSynx in an air-gapped environment?
Yes. CrewSynx is designed to run entirely on infrastructure you control with no mandatory call-home to Butterfly Instruments servers. You can deploy it in a fully isolated network if your security requirements demand it.
What authentication options are available?
CrewSynx supports email/password login with hashed credentials (bcrypt), role-based access control (RBAC) with granular permission sets, and organisation-level data isolation. Integration with your existing identity provider (SAML, LDAP/AD) can be scoped as a custom feature — contact us if this is a requirement.
Does CrewSynx support HIPAA compliance?
HIPAA compliance is the responsibility of the deploying organisation. CrewSynx does not hold protected health information (PHI) itself. Whether your use of CrewSynx involves PHI processing depends entirely on what data your organisation inputs into your instance. If you are in a HIPAA-regulated environment, your IT/compliance team should review your deployment configuration independently.
Do you offer a Data Processing Agreement (DPA)?
Because Butterfly Instruments does not process personal data from your CrewSynx instance, a traditional DPA (where we act as data processor) is not applicable. However, we offer a template DPA document for EU enterprise customers that formally documents this zero-access arrangement — available on our DPA page. If you have specific contractual requirements, contact us.
Where can I find your full security posture documentation?
We publish a one-page Security Posture overview covering our development practices, vulnerability management, and deployment security guidance. This is available on our Security Posture page, which you can share with your security team.
Still have questions?
If you have a specific security requirement, are filling out a vendor questionnaire, or need documentation for your compliance team, contact us at contact@butterflyinstruments.com. We respond to security inquiries within 2 business days.