Announcing Cresta for Customer Service! LEARN MORE!
The logo of, the AI powered sales team coach


Cresta Security and Data Privacy

Our enterprise-grade security program is designed to keep our customer data safe and secure. We rely on industry best practices, security product features, and comprehensive audits of our applications, systems, and networks to ensure that your data is always protected. Here is an introduction to Cresta’s security and data privacy practices.

Securing our Infrastructure

All Cresta servers reside within our virtual private cloud (VPC), access to which follows the principle of least privilege. Any and all access requires two-factor authentication (2FA). Each customer’s data and application instance runs on standalone infrastructure with network segregation. All traffic within our network is encrypted in transit, and all customer data is encrypted at rest.

Secure SDLC

Cresta engineering takes security very seriously. All code commits must be approved after a mandatory code review, along with examination by static analysis. Every developer undergoes security training as part of their onboarding process, and our security policies are audited annually. We follow industry best practices for patching software with known security vulnerabilities, and work with external researchers to help secure our software.

Application Security

Cresta follows secure credential storage best practices by never storing passwords in human readable format, and only as the result of a secure, salted, one-way hash. Two-factor authentication, IP whitelisting, and SAML are made available to our customers for further restricting access to accounts.

Data Security

Automatic redaction provides the ability to redact strings of numbers that match a valid credit card primary account number, social security numbers, and various PII. Cresta is CCPA compliant. Any access to customer data follows the principle of least privilege and role-based access control with extensive logging.

External Assessments

Cresta undergoes an annual penetration test by third-party experts, and maintains a vulnerability disclosure process to work with the extended security researcher community on helping us identify vulnerabilities in our software. To report a vulnerability, please contact us at