Security & privacy

How CaesarCRM protects customer data.

Your pipeline and your inbox are the two things you can least afford to have handled carelessly, so we treat them the way we treat production code — locked down, logged, and recoverable.

EU data residency

Your CRM data is stored in the European Union, in Amsterdam, and backed up daily.

Encryption

TLS in transit. Credentials for the accounts you connect are encrypted with AES-256-GCM at rest.

Tenant isolation

Separation is enforced by Postgres row-level security, not by application code remembering to filter.

What we store, and what we do not

Stored

  • Your CRM records — leads, contacts, deals, notes, tasks, and activity history.
  • Email your agents send and receive, including open and reply tracking.
  • Credentials for accounts you connect, encrypted at rest.
  • Account details and password hashes. We cannot read your password.

Not stored

  • Card details. Payments run through Stripe's own hosted checkout, so card numbers never reach our servers.
  • Anything from a connected CRM beyond what the agent needs to work your list — CaesarOne reads and writes, it does not take a copy of your database.

Access controls

  • Sign in with passkeys — Face ID, Touch ID, or a hardware key — so there is no password to phish.
  • One-time email codes as a second factor, with downloadable recovery codes for a lost device.
  • See every active session and sign any device out on its own, or sign out everything except the one you are on.
  • Role-based access inside your workspace, so people see what you decide they should.
  • Changes to records are recorded with the account that made them, the values before and after, and the time.

What an AI agent can and cannot do

An agent sends email in your name, so the limits on it matter as much as the limits on your account.

  • An agent sends only from the mailboxes you connect, at a pace you set, never from an address you have not authorised.
  • It checks your CRM before contacting anyone, so it will not cold-email an existing customer, a live opportunity, or someone who has opted out.
  • You can require your approval on every email before it sends, and turn that off only when you are ready.
  • Every action is recorded — what was sent, to whom, from which mailbox, and when.

Data protection and GDPR

  • CaesarCRM is a product of Friars Technologies Limited, registered as a data controller with the UK Information Commissioner's Office under reference ZC161465. You can verify that on the ICO's public register.
  • We handle personal data in line with UK and EU GDPR. Your CRM data is stored and backed up in the EU.
  • You can access, export, correct, or delete your data at any time, and withdraw consent where processing relies on it.
  • Non-essential cookies stay switched off until you choose otherwise.
  • Writing agent emails uses Anthropic, and payments run through Stripe, both in the United States — we choose established providers and review them before they touch customer data. We will share our full list of sub-processors with your security or legal team on request.
  • If you believe we have handled your data wrongly, you can complain to the UK Information Commissioner's Office at ico.org.uk.

Your controls

  • Export your leads and deals at any time, in a standard format.
  • Ask us to delete your data, and we will.
  • Revoke a connected Gmail or Calendar account whenever you want, from settings.
  • Turn off non-essential cookies on your first visit, and change it later.

Found a vulnerability? Report it to [email protected]. We will not pursue action against anyone who reports a genuine issue in good faith and gives us a reasonable chance to fix it.