Privacy Protocol

1. Data Collection

CREW10X collects only the minimum data necessary to operate your cognitive agents. This includes:

• ■Account credentials (email, hashed password) for authentication
• ■Agent configuration files and workflow definitions you create
• ■Runtime telemetry (execution logs, error traces) for debugging, retained for 30 days
• ■Usage metrics (API call counts, compute consumption) for billing

We never collect browser fingerprints, location data, or behavioral analytics beyond what is listed above.

2. Agent Memory & Persistence

Cognitive agents in CREW10X can maintain long-term memory to improve performance over time. Here is how we handle it:

• ■Agent memories are stored in isolated, encrypted namespaces per user
• ■Memory contents are never used to train models or shared across accounts
• ■You can inspect, export, or purge any agent's memory at any time via the dashboard or API
• ■Ephemeral agents have no persistence; session data is discarded on termination

3. Encryption Standards

All data within CREW10X is protected by industry-leading encryption at every layer:

• ■In transit: TLS 1.3 enforced on all connections, including agent-to-agent communication
• ■At rest: AES-256-GCM encryption for all stored data, including agent memories and configuration
• ■End-to-end: Optional E2E encryption for agent payloads, where only your client holds the decryption key
• ■Key management: Keys are rotated automatically every 90 days via our KMS infrastructure

4. Data Sovereignty

You own your data. Period.

• ■All agent configurations, memory stores, and workflow outputs belong exclusively to you
• ■CREW10X claims no intellectual property rights over content generated by your agents
• ■You may export all data at any time in standard formats (JSON, CSV, Parquet)
• ■Enterprise plans support region-pinned storage (US, EU, APAC) for regulatory compliance

5. Third-Party Sharing

We do not sell, rent, or trade your data. Third-party access is strictly limited:

• ■No data is shared with advertisers, data brokers, or analytics platforms
• ■Infrastructure providers (cloud hosting, CDN) process data only under strict DPAs
• ■If you connect third-party tools to your agents, data flows are governed by your explicit configuration
• ■We will only disclose data to law enforcement when legally compelled, and will notify you unless prohibited

6. Right to Deletion

You have full control over the lifecycle of your data:

• ■Agent memories: Delete individual memories or purge an entire agent's memory via dashboard or API
• ■Account deletion: Request full account deletion from Settings; all data is permanently erased within 30 days
• ■Backup purge: Encrypted backups containing your data are purged within 90 days of deletion request
• ■Verification: You will receive a confirmation email once deletion is fully propagated across all systems

7. Compliance

CREW10X maintains rigorous compliance with global data protection standards:

• ■SOC 2 Type II: Independently audited annually for security, availability, and confidentiality
• ■GDPR: Full compliance including lawful basis for processing, DPO appointment, and cross-border transfer safeguards
• ■CCPA: California residents can exercise rights to know, delete, and opt out of data sale (we never sell data)
• ■Penetration testing: Quarterly third-party penetration tests with published remediation timelines

Compliance reports and certifications are available upon request for Enterprise plan customers.