Security & trust

Your clients' data, guarded like their passengers.

TransferCRM carries VIP itineraries, corporate contracts and payment flows. We treat that responsibility as the product — European hosting, strict tenant isolation and backups we actually rehearse restoring.

EU data residency

Production systems and backups live in the European Union. Your data never needs a transatlantic excuse.

Strict tenant isolation

Every record is scoped to your workspace at the database layer. No shared lists, no cross-tenant leaks.

Roles & two-factor auth

Six roles with least-privilege defaults, two-factor authentication, and session revocation when a phone goes missing.

Encryption everywhere

TLS on every connection, encrypted storage at rest, hashed credentials — the boring hygiene done properly.

Backups with restore drills

Snapshots every 15 minutes, nightly encrypted archives kept off-site, and an automated weekly restore drill that proves they work.

Payments held by Stripe

Card data never touches our servers — payments run on your own PCI-DSS compliant Stripe account.

GDPR, in practice

Not a badge in the footer — a working process.

Legal Notice

Data processing agreement

A DPA is part of every subscription, with our subprocessors listed publicly in the legal notice.

Right to access & erasure

Export any client's data or erase it on request — tools for data-subject rights are built into the CRM.

Retention that expires

Logs and personal data follow documented retention periods instead of living forever.

EU subprocessors, disclosed

Stripe, Google, Pusher and our EU hosting provider — the full list stays public and current.

Found a vulnerability?

Write to hello@transfercrm.com with the details. We read every report, respond quickly and credit responsible disclosure.

Security questions before you commit? We answer procurement and DPO questionnaires for Business and Enterprise plans. Contact