All articles
Product Updates

Data Security in a Modern CRM: Encryption, Roles, Audit

ASH Team · 3 July 2026 · 5 min read

A CRM concentrates the most sensitive information a business holds: every customer's name, phone number, requirements and conversation history. That concentration is the point — and the risk. With India's DPDP Act putting personal data handling on a legal footing, "is our CRM secure" is no longer an IT question but a business one. Here are the four layers that matter, and how ASH implements each.

Encryption at rest, at the field level

Disk-level encryption protects against a stolen hard drive, not against an exposed database. ASH goes a layer deeper: lead contact details are encrypted at the field level before they are written to the database, each value with its own random initialisation vector. A leaked backup or a misdirected query returns ciphertext, not a callable phone list. The trade-off is that the application must decrypt to display or send — which is why decryption is handled through one central, audited path in code rather than ad hoc in every screen.

Role-based access: see what your job needs

Not everyone in the account should see everything. ASH scopes access by role — owners and managers see across the team, agents work their assigned leads — and administrative surfaces such as settings, integrations and exports sit behind the roles that need them. Just as important is tenant isolation: in a multi-tenant system, every query is scoped to your organisation at the data layer, not merely hidden in the interface.

Audit trails: who did what, when

Security is not only prevention; it is reconstruction. Activity in ASH is logged against leads and users — assignments, stage changes, edits, messages — so a dispute ("who marked this lead lost?") is answered from the record, not from memory. The notification bell surfaces the same activity stream as it happens, which keeps oversight routine instead of forensic.

Masked credentials and integration hygiene

A modern CRM connects to WhatsApp, email, SMS providers and lead portals, and every connection involves a credential. In ASH those tokens and API keys are masked in the interface after entry — visible enough to verify, never displayed in full again — and inbound webhooks are verified with secrets so a forged request cannot inject or read data. Credentials caught in screenshots and screen-shares are one of the most common leak paths; masking closes it by default.

Questions to ask any CRM vendor

  • Is personal data encrypted at the field level, or only on disk?
  • Can an agent export the full customer database, and would anyone know?
  • Is there an audit trail for edits, deletions and assignment changes?
  • Are integration credentials masked and webhook endpoints authenticated?
  • How is one customer's data isolated from another's on shared infrastructure?

Any serious vendor should answer these plainly. For the full picture of what ASH covers across plans, see the features overview and pricing — security, unlike some capabilities, is not an add-on tier.

Ready to capture every lead on WhatsApp?

Start your free trial
CRM Data Security: Encryption, Roles, Audit | ASH | ASH