Cresta Named to the 2022 CB Insights AI 100 – Most Innovative AI Startups! Read More

Keep your data secure

Cresta Security and Data Privacy

Our enterprise-grade security program is designed to keep our customer data safe and secure. We rely on industry best practices, security product features, and comprehensive audits of our applications, systems, and networks to ensure that your data is always protected. Here is an introduction to Cresta’s security and data privacy practices.

SOC II Type 2 Compliance

With SOC 2 Type II compliance, Cresta has met rigorous requirements for security monitoring, including for known malicious activity and unknown malicious activity regarding customer data in the cloud.

PCI-DSS Compliance

PCI-DSS compliance is administered by the Payment Card Industry Security Standards Council, and reflects Cresta has met its stringent criteria for securing and protecting cardholder data.

ISO 27001

Cresta is ISO 27001 certified. With regular third-party audits, we provide customers with total transparency around how we ensure the security of all Cresta and customer assets.

ISO 27701

As a global leader in artificial intelligence and conversational intelligence, Cresta regularly invests in designing, managing, and improving privacy systems. Cresta is ISO27701 certified and enterprise-grade.

Securing our Infrastructure

All Cresta servers reside within our virtual private cloud (VPC), access to which follows the principle of least privilege. Any and all access requires two-factor authentication (2FA). Each customer’s data and application instance runs on standalone infrastructure with network segregation. All traffic within our network is encrypted in transit, and all customer data is encrypted at rest.

Secure SDLC

Cresta engineering takes security very seriously. All code commits must be approved after a mandatory code review, along with examination by static analysis. Every developer undergoes security training as part of their onboarding process, and our security policies are audited annually. We follow industry best practices for patching software with known security vulnerabilities, and work with external researchers to help secure our software.

Application Security

Cresta follows secure credential storage best practices by never storing passwords in human readable format, and only as the result of a secure, salted, one-way hash. Two-factor authentication, IP whitelisting, and SAML are made available to our customers for further restricting access to accounts.

Data Security

Automatic redaction provides the ability to redact strings of numbers that match a valid credit card primary account number, social security numbers, and various PII. Cresta is CCPA compliant. Any access to customer data follows the principle of least privilege and role-based access control with extensive logging.

External Assessments

Cresta undergoes an annual penetration test by third-party experts, and maintains a vulnerability disclosure process to work with the extended security researcher community on helping us identify vulnerabilities in our software. To report a vulnerability, please contact us at [email protected].