The risks of data caching in CRM integrations

At Red Cactus, we design our CRM integrations according to the security-by-design principle: secure, privacy-friendly, and future-proof from the ground up. Our guiding principle when developing CRM integrations is to avoid techniques that store copies of personal data (such as periodic data synchronizations). Instead, we focus on building integrations that rely primarily on real-time communication with the CRM via APIs (federated queries).

Our previous article on recognizing GDPR-compliant CRM integrations stirred quite a bit of discussion. Several readers mentioned they were unaware of the risks associated with certain techniques and asked how this applies to CRM integrations that use data caching. In this article, we dive deeper into the topic and explain why caching personal data is not only unnecessary, but also something you should actively avoid.

What data caching means

Data caching means temporarily storing data, for example, to make it available more quickly. When an incoming call comes in, such a cache can instantly display the name, email address, and phone number without making a live connection to the CRM.
Technically, that might seem convenient, but when it comes to personal data, there are significant drawbacks.

The difference between data caching and periodic data synchronizations

So, data caching stores information temporarily outside the CRM, whereas periodic data synchronization retrieves data from the source system at fixed intervals (for example, every hour or daily) and stores it outside the CRM. In most cases, these synchronized records are also placed in a cache for faster processing. Although the techniques differ, they share one important characteristic: in both cases, a copy of personal data is created outside the source system, which is problematic. 

The five biggest pitfalls of data caching and periodic synchronization

The starting point of CRM integration developers who opt for caching or periodic synchronization is technically problematic and, moreover, runs counter to the spirit of the core principles of the GDPR, as we explained in our previous article. Below, we outline the five main drawbacks, both from a technical perspective and in the context of the GDPR:

1. Outdated data – With caching or periodic synchronization, changes to addresses, names, or privacy settings are only processed during the next synchronization. Until then, the integration operates on outdated information, which can lead to display errors and, consequently, communication issues. Since the GDPR requires personal data to be accurate and up to date (Article 5, paragraph 1, point d), this may also conflict with the principle of accuracy and consent.

2. Additional copies of personal data – Every extra storage location increases the risk of data breaches and makes exercising the “right to be forgotten” (Article 17) complex and error-prone. The data owner also loses control and often does not know exactly where the data is stored. This also goes against the GDPR principle of data minimization: if there are techniques available that allow you to avoid storing personal data, you should use them.

3. Authorization issues – With caching or periodic synchronization, access rights are only checked at the time of synchronization. Permissions and roles configured in the CRM are completely ignored for any accounts that are not part of the synchronization process. As a result, unauthorized users may still see data they should not have access to. Since authorization is not determined per real-time request, someone who later loses their permissions can still retain access to sensitive information. With a real-time approach via federated queries, this problem is avoided, and a transparent audit trail is created, allowing every view to be traced.

4. Functional limitations – Because caching is always a snapshot, features that require up-to-date CRM data work less reliably. The available data is also limited, as you usually do not want to synchronize your entire CRM. Technical logic or integrations that depend on real-time data, such as instant validations or workflow triggers, do not function well on outdated copies. With real-time retrieval via APIs, these drawbacks do not exist, and you can use all the necessary, current fields (including custom fields) from your CRM instantly.
   
   

5. Impact in the event of a data breach – When all customer data is stored centrally in a single environment, a security incident can affect all customers at once. While you may assume that data is logically separated per customer through database tables and tokens, in reality, everything resides physically within the same infrastructure. This increases the attack surface and raises the risk that an incident will impact multiple customers. In multi-tenant environments, there is also the possibility of cross-viewing, where data from different customers becomes accidentally accessible to unauthorized parties. In the case of a data breach, with all the resulting direct and indirect damage, the inevitable question arises: who is responsible; the end customer, the telecom partner, or the CRM integration developer? This can lead to a prolonged legal dispute. With real-time API connections, this risk is significantly reduced because personal data is not stored centrally.

Why federated queries are the only right choice for CRM integrations

The solution is the use of federated queries, which is the standard approach at Red Cactus when developing CRM integrations. This means we do not rely on caching personal data or periodic synchronization. As a result, personal data remains in the source system and is retrieved only in real time when needed. When a phone call comes in, we make a secure, real-time API call to the CRM at that moment. This way, the data is retrieved and validated instantly, without the technical limitations of caching or periodic synchronization. Moreover, these CRM integrations fully comply with the core principles of the GDPR.

But data caching also has advantages, right?

Data caching in CRM integrations is almost never necessary and, moreover, undesirable. A common argument for using it is speed, but in practice, this is a rarity: it only occurs with CRM software applications that have a technically limited infrastructure or severely outdated technology. In such cases, it is wiser to urge the provider to improve performance.

If data caching is unavoidable, do it like this

In a few unique situations, it is technically unavoidable to cache some data. This applies in particular to CRM systems where we cannot retrieve customer data via the API based on the caller’s phone number. If you must cache data in such a case, do it the way we do: do not cache personal data, but only customer numbers linked to phone numbers. When an incoming call arrives, you can then use the customer number to make a real-time API call to retrieve the current information. This way, performance remains high, authorizations are always checked in real time, and you remain fully within the boundaries of the GDPR.

How about this exception?

In the early years of Red Cactus, there was significantly less attention in the market to the processing of personal data than there is today. As privacy protection increasingly became a hot topic over the years, we rewrote all CRM integrations that could be technically improved to a future-proof approach based on federated queries. Of the 200+ CRM integrations, only one from the early period still caches personal data, and only in the user’s personal storage folder, never centrally on an internal or external server. While we would no longer include this type of integration in our portfolio today, it remains in place because no technical alternative is currently possible. As soon as the CRM itself makes a technical change that enables a more privacy-friendly solution, we will update the integration immediately. Until then, this integration will continue to function in this way, and we clearly state in the technical manual how it works, so that customers know exactly what data caching entails.

Together towards safer and better CRM integrations

Our mission is to set a standard that raises the quality of CRM integrations across the entire market. By actively writing about this, we increase awareness and encourage other developers to follow our example. At the same time, we demonstrate that Red Cactus partners already enjoy a clear competitive advantage in commercial processes.