Skip to main content

Compliance

Last Updated: March 4, 2026

Autocrew is committed to meeting and exceeding regulatory requirements across the jurisdictions we operate in. This page outlines our compliance posture and the frameworks we adhere to.

Compliance Overview

As an AI-powered platform that processes business data on behalf of our customers, we take our regulatory obligations seriously. Our compliance program includes:

  • Continuous monitoring: Automated compliance monitoring tools that track our adherence to regulatory requirements in real time
  • Regular assessments: Periodic internal audits and third-party assessments to validate our compliance posture
  • Policy governance: A dedicated compliance team that maintains and updates policies as regulations evolve
  • Transparency: Clear documentation of our practices so customers can assess our suitability for their compliance needs

GDPR Compliance

Autocrew complies with the General Data Protection Regulation (GDPR) for all processing of personal data of individuals in the European Economic Area (EEA) and United Kingdom.

Legal Basis for Processing

We process personal data under the following legal bases:

  • Contract performance: Processing necessary to deliver the Autocrew platform and services you have subscribed to
  • Legitimate interest: Processing for service improvement, security monitoring, and fraud prevention, balanced against data subject rights
  • Consent: Marketing communications and optional analytics, where consent can be withdrawn at any time
  • Legal obligation: Processing required to comply with applicable laws, such as tax reporting and regulatory requests

Data Subject Rights

Autocrew supports the exercise of all GDPR data subject rights. We provide mechanisms for individuals to:

  • Access their personal data and obtain a copy
  • Rectify inaccurate or incomplete personal data
  • Request erasure of personal data ("right to be forgotten")
  • Restrict processing in certain circumstances
  • Receive personal data in a portable, machine-readable format
  • Object to processing based on legitimate interest or direct marketing
  • Not be subject to solely automated decisions with legal or significant effects

Data subject requests can be submitted to support@autocrew-ai.com and are processed within 30 days.

Data Protection by Design

  • Privacy impact assessments conducted for new features and processing activities
  • Data minimization principles applied across all data collection points
  • Pseudonymization capabilities for sensitive data processing
  • Default privacy settings that prioritize data protection

International Transfers

When personal data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by additional technical and organizational measures where appropriate. We monitor adequacy decisions and update our transfer mechanisms accordingly.

CCPA/CPRA Compliance

Autocrew complies with the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) for California residents.

Categories of Personal Information

We may collect the following categories of personal information:

  • Identifiers (name, email address, account credentials)
  • Commercial information (subscription plans, billing history)
  • Internet activity (usage logs, feature interactions, IP addresses)
  • Professional information (company name, job title)
  • Inferences drawn from the above to improve our services

Consumer Rights

California residents have the right to:

  • Know what personal information is collected, used, and disclosed
  • Delete personal information held by us and our service providers
  • Correct inaccurate personal information
  • Opt out of the sale or sharing of personal information
  • Limit the use of sensitive personal information
  • Non-discrimination for exercising their privacy rights

"Do Not Sell or Share" Commitment

Autocrew does not sell personal information to third parties. We do not share personal information for cross-context behavioral advertising. Our data processing is limited to providing and improving our services.

Service Provider Obligations

When acting as a service provider on behalf of our customers, we process personal information only as directed by the customer and in accordance with our contractual obligations. We do not retain, use, or disclose personal information for purposes other than performing the services specified in the agreement.

SOC 2 Framework

Autocrew's security controls are aligned with the SOC 2 Trust Service Criteria established by the American Institute of Certified Public Accountants (AICPA).

  • Security: Protection of systems and data against unauthorized access through access controls, encryption, and network security
  • Availability: System availability maintained through redundancy, monitoring, and disaster recovery planning
  • Processing Integrity: Data processed accurately, completely, and in a timely manner
  • Confidentiality: Confidential information protected throughout its lifecycle
  • Privacy: Personal information collected, used, retained, and disclosed in accordance with our privacy commitments

Enterprise customers can request our SOC 2 Type II report under NDA by contacting support@autocrew-ai.com.

ISO 27001 Alignment

Autocrew's Information Security Management System (ISMS) is aligned with the ISO/IEC 27001 standard:

  • Risk assessment: Systematic identification, evaluation, and treatment of information security risks
  • Controls implementation: Security controls mapped to ISO 27001 Annex A covering areas including access control, cryptography, operations security, and supplier relationships
  • Continuous improvement: Regular management reviews, internal audits, and corrective actions to strengthen our security posture
  • Documentation: Comprehensive policies and procedures maintained and reviewed on a regular cycle

AI-Specific Regulations

EU AI Act Awareness

Autocrew monitors developments under the EU AI Act and proactively assesses our AI systems against its risk classification framework:

  • Classification of AI crew capabilities by risk level
  • Transparency obligations — clear disclosure when users interact with AI systems
  • Human oversight mechanisms for AI-driven decisions
  • Technical documentation of AI system capabilities and limitations
  • Ongoing monitoring for bias, accuracy, and robustness in AI outputs

Responsible AI Practices

  • Bias monitoring: Regular evaluation of AI models for unintended bias across demographic groups and use cases
  • Fairness assessments: Testing to ensure AI outputs do not disproportionately impact any group
  • Explainability: AI decisions can be explained and reviewed, with audit trails of AI processing activities
  • Model governance: Formal review and approval processes for AI model deployment and updates

Data Protection Impact Assessments

Autocrew conducts Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in a high risk to individuals:

  • DPIAs conducted before deploying new AI features or processing activities
  • Assessments cover data flows, risk identification, and mitigation measures
  • Regular reviews of existing DPIAs as processing activities evolve
  • Summary findings available to enterprise customers upon request

Subprocessor Management

We maintain rigorous oversight of all subprocessors that process data on our behalf:

  • Due diligence: Security and privacy assessments conducted before engaging any new subprocessor
  • Contractual requirements: Data Processing Agreements (DPAs) executed with all subprocessors, requiring equivalent data protection standards
  • Change notification: Customers notified at least 30 days before any material change to subprocessors that handle their data
  • Ongoing monitoring: Regular reassessment of subprocessor compliance and security posture

Certifications and Audits

Our current compliance certifications and audit activities include:

  • SOC 2 Type II: Annual audit covering all five Trust Service Criteria
  • ISO 27001: Information security management system alignment with planned certification
  • Penetration testing: Annual third-party penetration testing by independent security firms
  • Vulnerability assessments: Continuous automated vulnerability scanning across our infrastructure

Customers can request copies of audit reports, certifications, and security documentation by contacting our compliance team. For more information about our technical security controls, see our Security page.

Contact Us

If you have questions about our compliance practices or need to request compliance documentation, please contact us:

  • Compliance Team: support@autocrew-ai.com
  • Data Protection Officer: support@autocrew-ai.com
  • Address: Autocrew Inc., 123 AI Street, San Francisco, CA 94105
Speak to Sarah(Autocrew's AI receptionist)