These CrewPass API Terms of Use (the API Terms) govern access to and use of the CrewPass Partner API and related developer resources (the API), operated by CrewPass Limited (CPL, CrewPass, we, us, our). The API is hosted at partners.crewpass.co.uk and exposes CrewPass crew, vessel, document and compliance data through a scope-gated, consent-based interface.
These API Terms supplement, and are incorporated into, the CrewPass Participation Agreement between you and CPL (the Agreement), and, where personal data is processed, the CrewPass Data Processing Agreement (the DPA). If there is any conflict, these API Terms govern in respect of your use of the API, and the DPA governs in respect of data protection. Capitalised terms not defined here have the meaning given in the Agreement.
By requesting or using API credentials, or by accessing the API, you agree to these API Terms on behalf of the organisation you represent (the Partner, you, your), and you confirm you have authority to bind that organisation.
1. What the API is
1.1 The API is a front door to data that already exists in CrewPass. It does not create a new source of data. It lets an authenticated Partner read crew, vessel, document and compliance information, and (where enabled for your tier) carry out a limited set of write actions such as vessel attachment, crew placement and issuing background checks.
1.2 Access is organised around scopes. Each API endpoint requires a specific scope. The data you can access is limited to the intersection of (a) the scopes granted to you and (b) the scopes the relevant crew member has consented to share with you (effective scope = granted scopes ∩ crew-consented scopes). Where you lack an effective scope, the API returns an authorisation error and no data.
1.3 We may offer test and live environments and credentials. Test credentials must not be used against live personal data, and live credentials must not be used for testing that generates artificial load or data.
2. Eligibility and credentials
2.1 Partner types. The API is available to (a) customer partners, who hold a CrewPass Employer account and whose scopes are derived from their subscription tier, and (b) external partners, whose scopes are set by separate written contract. The management-company use case is the first supported surface; other use cases are enabled at our discretion.
2.2 API keys. We issue you one or more API keys (for example keys prefixed cpk_live_ or cpk_test_, and read-only public keys prefixed cppk_). API keys are confidential credentials issued to you and must be treated as secrets.
2.3 Your responsibilities for credentials. You must: keep API keys secret and stored securely (for example in a secrets manager, never in client-side code, browsers, mobile apps, source control or logs); restrict access to authorised personnel; use TLS for all calls; rotate keys on our request or on any suspected compromise; and notify us without undue delay at customerservice@crewpass.co.uk of any actual or suspected compromise. You are responsible for all activity carried out using your credentials.
2.4 Mutating calls and webhooks. Where we require it, mutating requests and inbound webhook verification must be signed using the HMAC signing method and signing secret we provide. You must validate webhook signatures before acting on a webhook.
3. Crew consent and permitted use of data
3.1 Consent is the gate. Crew data is made available to you only to the extent the relevant crew member has consented to share the corresponding scope with you. Consent may be withdrawn by the crew member at any time, after which the corresponding data will cease to be available through the API. You must respect withdrawal of consent and must not retain or continue to use crew data beyond what these API Terms and the DPA permit.
3.2 Permitted purpose. You may use data obtained through the API only for the legitimate crew verification, placement, compliance and management purposes for which access was granted, and in accordance with the Agreement, the DPA and applicable law. You act as an independent controller in respect of personal data you obtain, as set out in the DPA.
3.3 Prohibited use of data. You must not: use the API or any data obtained through it to build or populate a competing product or a general database of crew; enumerate, scrape, harvest or systematically extract data beyond the crew and vessels legitimately attributed to you; attempt to access data outside your effective scope or another partner's data; re-identify anonymised or aggregated data; sell, rent or sub-licence API data except as expressly permitted; or use API data for advertising, profiling unrelated to the permitted purpose, or any unlawful, discriminatory or deceptive purpose.
3.4 Data minimisation and retention. You must request only the scopes you need, retain API data only as long as necessary for the permitted purpose, and apply security measures appropriate to the sensitivity of the data (which may include identity, biometric, criminal-records, health and payment-related data).
4. Acceptable use and rate limits
4.1 You must comply with the CrewPass Acceptable Use Policy and with any technical documentation, rate limits, quotas and usage guidelines we publish. We may apply and change rate limits and quotas to protect the stability and security of the Services.
4.2 You must not: interfere with or disrupt the API or the systems on which it runs; circumvent authentication, scope gating, rate limiting or audit; introduce malicious code; probe or scan for vulnerabilities other than under a security-testing arrangement agreed with us in writing; or use the API in a way that imposes an unreasonable load.
4.3 All API activity is logged and audited. You must not disable, obscure or attempt to defeat request identifiers used for auditing.
5. Fees
Access to the API is governed by your tier and order under the Agreement. Transactional actions initiated through the API (for example issuing a background check) are charged on a per-check or per-action basis as set out in your order and billed in accordance with the Agreement. We may introduce or vary API access fees on notice in accordance with the Agreement.
6. Availability, changes and deprecation
6.1 We use commercially reasonable efforts to keep the API available, but do not guarantee uninterrupted or error-free operation. Availability commitments (if any) are as stated in the Agreement.
6.2 The API will evolve. We may add, change, deprecate or remove endpoints, fields, scopes and behaviours. For changes that are not backward compatible, we will use reasonable efforts to give advance notice through our developer documentation or by email, and, where practicable, to support a transition period. You are responsible for keeping your integration current, and for testing against changes we announce.
6.3 We version the API surface (for example under /api/v2/). We may run more than one version and retire older versions on reasonable notice.
7. Intellectual property
7.1 The API, its documentation, and CrewPass are licensed, not sold. We and our licensors retain all Intellectual Property Rights in the API and in CrewPass. Subject to these API Terms, we grant you a non-exclusive, non-transferable, non-sublicensable, revocable licence to access and use the API during the term of the Agreement, solely for the permitted purpose.
7.2 You retain rights in your own systems and in data you originate. You grant us the rights necessary to operate the API and to process partner-originated data (including partner-written placements and invitations), as further described in the Agreement and DPA.
7.3 CrewPass names, logos and trade marks may be used only as expressly permitted in writing.
8. Suspension and termination
8.1 We may suspend or revoke your API access or credentials, in whole or in part, immediately where: we reasonably believe your use threatens the security, integrity or availability of CrewPass or its data; you breach these API Terms, the Agreement, the AUP or the DPA; a crew member's consent is withdrawn; we are required to do so by law or a regulator; or your Agreement is suspended or terminated.
8.2 On termination of your API access or the Agreement, the licence in Section 7.1 ends, you must stop using the API and securely delete API data except where retention is required by law or permitted by the DPA, and any surviving obligations (including confidentiality, data protection and accrued fees) continue.
9. Warranties and liability
9.1 The API is provided on an "as is" and "as available" basis. To the maximum extent permitted by law, we disclaim all warranties not expressly stated in the Agreement, including warranties of merchantability, fitness for a particular purpose and non-infringement. We do not warrant that data obtained through the API will produce any particular employment, placement or compliance outcome; all such decisions remain yours.
9.2 Nothing in these API Terms excludes or limits liability that cannot lawfully be excluded or limited, including for death or personal injury caused by negligence, or for fraud.
9.3 Subject to Section 9.2, and to the maximum extent permitted by law, our total aggregate liability arising out of or in connection with the API and these API Terms is limited as set out in the liability section of the Agreement (one hundred pounds sterling (£100)), and this limit applies together with, and not in addition to, the limit in the Agreement. We are not liable for indirect, consequential, incidental, special or punitive damages, or for loss of profit, revenue, business, reputation, data, goodwill or anticipated savings.
10. Data protection
Your processing of personal data obtained through the API is governed by the DPA. Each party acts as an independent controller in respect of such personal data unless a separate processor arrangement is agreed. Where the API supports automated processing, the automated-decision safeguards described in the CrewPass Privacy Policy (Articles 22A to 22D of the UK GDPR, as inserted by the Data (Use and Access) Act 2025) apply to CrewPass's own processing.
11. General
11.1 These API Terms are governed by the laws of England and Wales, and the courts of England and Wales have exclusive jurisdiction, subject to the dispute-resolution provisions of the Agreement.
11.2 We may amend these API Terms from time to time. Material changes will be notified in advance through our developer documentation or by email. Continued use of the API after the effective date of a change constitutes acceptance.
11.3 These API Terms, the Agreement, the DPA, the Acceptable Use Policy and the Privacy Policy are the entire agreement between us in relation to the API.
12. Contact
Technical and contractual queries: customerservice@crewpass.co.uk. Data-protection queries: dpa@crewpass.co.uk.