Section 14 · The Technical Appendix
14Security & Data Handling
This section, also for your IT and security teams, summarizes how the system protects your data: how people sign in, how your organization's data is kept separate from every other customer's, how credentials are stored, and what data leaves your tenant. It's a plain-English overview to support your own review.
Sign-in and sessions
There are no CRM-specific passwords. Everyone signs in through your existing identity provider (Microsoft 365 or Google) using standard OpenID Connect, so your own multi-factor authentication, conditional-access, and account-lifecycle policies apply automatically. When you disable someone in your directory, they lose access here too.
Sessions are signed, time-limited, and can be revoked. They expire after a period of inactivity and have a hard maximum lifetime, after which the user signs in again.
Tenant isolation
The system is multi-tenant, and your organization is one tenant. Data is isolated at the database level: every record carries a tenant identifier, and the database enforces — on every single query — that a request can only ever see its own tenant's rows. This isn't a filter the application remembers to apply; it's a rule the database enforces by default, so one customer can never see another's data.
In plain terms
Your companies, contacts, emails, and coaching are visible only to your users. The isolation is enforced at the lowest level, so a bug in the application can't accidentally cross tenants — the database itself refuses.
Credentials and tokens
The system never sees or stores your users' passwords — authentication is handled entirely by your identity provider. The credentials that let the app act on a rep's behalf (the refresh tokens from your identity provider) are stored encrypted, and can only be used to act as that rep, within the narrow permissions listed in Section 13.
What data leaves your tenant
Being clear about this supports your review:
- Coaching engine. Call and meeting content submitted for scoring is processed by Fox & Crow's coaching service to produce the rubric scores and focus areas. This is the one place call/meeting content is analyzed outside the CRM's own database.
- Email and calendar. These flow directly between the rep's Microsoft 365 (or Google) account and the CRM, acting as that rep. Nothing is routed through a third-party mail relay.
- Lead data. Automated lead discovery uses public business-listing and web data via Fox & Crow's services; it brings data in, and doesn't send your data out.
Deletion and retention
Deleted records go to a recycle bin rather than disappearing, and only an Owner can permanently remove them (Section 12). Verbose operational logs from lead-collection jobs are pruned automatically after about 90 days; your business records — companies, contacts, activities — are retained until you delete them.
Recording and compliance
Call recording is off until you explicitly enable it and accept responsibility for consent and disclosure (Section 11). Email outreach can carry a mandatory unsubscribe footer and honors a suppression list, supporting your CAN-SPAM and similar obligations (Section 10). These controls are yours to configure to your jurisdiction.
Where to get specifics
For formal security documentation — hosting region, encryption-at-rest details, sub-processors, data-processing terms, and incident procedures — contact Fox & Crow directly. This section is an operational overview, not a substitute for those documents.
The bottom line
Your identity, your data, your control.
Sign-in rides on your identity provider; your data is isolated at the database level; tokens are encrypted and least-privilege; and the few places data is processed externally are named plainly. Bring this to your security team as a starting point for review.