Privacy & Data Security Policy

Version: 1.0

Effective Date: 1st January 2025
Contact: info@fwrdcrm.com | fwrdcrm.com

Overview

At FWRD, we take data security and confidentiality seriously. This policy outlines the practices we follow to protect client data and meet the expectations set out in our contractual agreements, including Non-Disclosure Agreements (NDAs).

Our practices are designed to comply with relevant global standards including:

GDPR (EU)
DPA (UK)
PDPA (Philippines and APAC region)

How We Protect Client Data

We work within platforms owned and operated by our clients, such as Zoho, Google Workspace, and Microsoft 365. In addition, we use internal systems such as Zoho WorkDrive, Zoho Vault, and Zoho Projects to support secure collaboration and document management.

We do not independently store or process client data outside of these approved environments and only access systems as explicitly permitted by the client for project-related tasks.

We also periodically review our subprocessors and internal tools to ensure continued compliance with applicable data protection regulations and to mitigate risk exposure.

Access & Credentials

Credentials are stored using Zoho Vault, a secure, encrypted password manager.
Team members only access systems for tasks they are assigned.
We apply strict access controls and revoke access immediately at project end or role change.

File Handling

All files are stored in client-specific folders in Zoho WorkDrive or other approved platforms.
Temporary local storage is avoided. If used, files are deleted immediately after upload or delivery.
Local caches, downloads, and synced folders are cleared regularly.

Exports & Downloads

We minimize exports or downloads of client data unless operationally necessary.
Data logs or usage reports are created only if agreed with the client.

Communication

We use secure tools like Zoho Mail, Zoho Cliq, and Zoho Projects for internal communication.
Sensitive information is not shared via personal chat apps or email without encryption.
Client data is never discussed in public or unsecure environments.

Working With Your Data

At FWRD, we treat client data with discretion and do not use it for any purpose outside the agreed project scope.

We will never:

Reuse your data in other client work
Train or contribute your proprietary information to any public AI models
Screenshot, replicate, or store data for internal documentation, analysis, or case studies without your explicit consent

All data access is limited to team members directly involved in the project and governed by strict confidentiality and security protocols.

We may use internal tools such as Zoho Vault, Zoho WorkDrive, and our custom private GPT to support project workflows, always ensuring that client data is only used when expressly permitted and in secure environments.

Use of AI Tools

FWRD uses AI responsibly to improve internal efficiency, collaboration, and communication. We have developed a custom, private GPT to support these efforts in a secure and isolated environment. This AI instance:

Operates independently of public AI models
Does not train or influence external AI platforms
Does not share or retain client data beyond its intended use

Permitted use cases include:

Drafting internal documentation and communications
Conducting technical research using public or dummy data
Testing workflows or automations with anonymized inputs
Transcribing and summarizing internal or client-approved meetings

Strictly prohibited unless reviewed and approved:

Entering client-specific configurations, credentials, or personal data into public or external AI tools (e.g. ChatGPT, Copilot, OpenAI)
Any AI usage that may violate NDAs or client data handling requirements

FWRD regularly reviews AI usage practices to uphold client confidentiality and regulatory compliance.

Support for Data Subject Rights

If FWRD is required to support data subject access requests, corrections, or deletions, we will cooperate with the client as the Data Controller to fulfill those obligations under GDPR or other applicable data protection regulations.

End-of-Project Procedures

At the close of a project, we:

Revoke all access to your systems
Delete residual files from local and synced folders
Confirm that final files are delivered to your WorkDrive or shared folder
Archive final deliverables in our internal system, where agreed

Confidentiality

All FWRD team members are bound by:

We Their employment or subcontractor NDA
An internal Data Security Policy
Clients signed Non-Disclosure Agreement (if applicable)

We are committed to protecting:

Business strategies and internal processes
Financial data, analytics, and KPIs
Technical system architecture and workflows
Personal data (e.g., staff or customer information)
Credentials and access-related data

Breach Notification & Escalation

If an incident occurs (e.g. lost device, misdirected file, unauthorized access), we will:

Notify the client immediately
Take corrective action to mitigate impact
Investigate and log the issue internally
Support legal or compliance processes if required

Policy Review & Contact

This policy is reviewed annually or following any significant update to our tooling or client obligations. Any material changes to this policy will be communicated in writing to active clients and partners.

Questions?