Cresta Security and Data Privacy

Our enterprise-grade security and data privacy program is designed to keep your customer data safe and secure. We rely on industry best practices, security product features, and comprehensive audits of our applications, systems, and networks to ensure that your data is always protected. Here is an introduction to Cresta’s security and data privacy practices.

SOC 2 Type II

(Trust Service Principles: Security & Availability)

Cresta undergoes annual SOC 2 Type II audits performed by accredited independent third party auditors.

Covered Products:

  • Cresta Real-Time Agent Assist for Chat
  • Cresta Real-Time Agent Assist for Voice
  • Cresta Director

ISO/IEC 27001:2013

Cresta is certified against the ISO/IEC 27001:2013 standard and undergoes annual recertification audits.

Covered Products:

  • Cresta Real-Time Agent Assist for Chat
  • Cresta Real-Time Agent Assist for Voice
  • Cresta Director

ISO/IEC 27701:2019

Cresta is certified against the ISO/IEC 27701:2019 standard and undergoes annual recertification audits.

Covered Products:

  • Cresta Real-Time Agent Assist for Chat
  • Cresta Real-Time Agent Assist for Voice
  • Cresta Director

PCI-DSS

(Service Provider Level 2)

Cresta is annually audited by an accredited third party Qualified Security Assessor (QSA) to maintain compliance with PCI-DSS Service Provider Level 2 requirements.

Covered Products:

  • Cresta Real-Time Agent Assist for Chat
  • Cresta Real-Time Agent Assist for Voice
  • Cresta Director

HIPAA

Cresta has met the requirements of the United States Health Insurance Portability and Accountability Act of 1996 (HIPAA) as a Business Associate.

For customers who require HIPAA for their account, please do the following:

  1. Execute our Business Associate Agreement (BAA).
  2. Follow the outlined security configurations:
    1. Customer Support:
      1. Agents/Managers/Admins cannot input electronic protected health information (ePHI) into the customer support system.
    2. Session Activity through one or both of the following methods:
      1. Customers must enforce a password-locked screensaver or startup screen for all Agents/Managers/Admins set to engage at a maximum of fifteen (15) minutes of system inactivity.
      2. Reach out to your Customer Success Manager (CSM) to enable and enforce automatic session timeout for Agents/Managers/Admins upon a maximum of fifteen (15) minutes of inactivity.
    3. Identification and Authentication through one of the following methods:
      1. Each Agent/Manager/Admin must have a unique ID/email and use Cresta’s default password complexity settings for all Agents/Managers/Admins.
      2. Utilize an external Single Sign-on (SSO) system to access the Cresta platform. Additionally, enable and enforce Two-Factor Authentication (2FA) with your external SSO system for all Agent/Manager/Admin access.

Covered Products:

  • Cresta Real-Time Agent Assist for Chat
  • Cresta Real-Time Agent Assist for Voice
  • Cresta Director

TISAX

(Assessment Level 2: Information with High Protection Needs)

Cresta has completed an external TISAX assessment against the TISAX specifications and security requirements by an ENX-accredited auditor.

  • Scope ID: S3TWKX
  • Assessment ID: ACW6G7-1

Covered Products:

  • Cresta Real-Time Agent Assist for Chat
  • Cresta Real-Time Agent Assist for Voice
  • Cresta Director

Privacy

California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)
Union

Customers that utilize Cresta’s products may be considered a “Business” under the California Consumer Privacy Act (CCPA) and are responsible for ensuring that any processing of personal information is compliant with relevant data protection regulations, such as the CPRA. In relation to CCPA, Cresta is a “Service Provider” and “Contractor” and affirms that it will not:

  • Sell or share your Business’ personal information or your end-users’ personal information
  • Only retain, use, or disclose your Business’ personal information or your end-users’ personal information to the Sub-Processors listed below, who shall also comply with the CPRA
  • Process your Business’ personal information for any purpose other than those business purposes set forth in the CPRA or otherwise permitted by the California Privacy Protection Agency, as outlined in our Privacy Policy
  • Not retain, use, or disclose your Business’ personal information outside of the scope of the agreement we maintain with you
  • Combine personal information in violation of the CPRA.

For more information about our privacy practices and the ability to exercise your privacy rights under applicable data protection law, please refer to our Privacy Policy.

European General Data Protection Regulation (GDPR)
Union

Customers that utilize Cresta’s products to collect and store personal data of EU citizens are considered data controllers under the European General Data Protection Regulation (GDPR). Cresta, as a data processor, can facilitate GDPR compliance through its Data Processing Addendum (DPA) which is designed to enable data transfers under the GDPR.

For more information about our privacy practices and the ability to exercise your privacy rights under applicable data protection law, please refer to our Privacy Policy.

United States Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Union

Cresta has met the requirements of the United States Health Insurance Portability and Accountability Act of 1996 (HIPAA) as a Business Associate. Please refer here for more information about Cresta’s HIPAA-eligible products and configuring your account for HIPAA.

Trust Profile

Compliance Artifacts and Documentation

Cresta maintains a partnership with Whistic to provide existing customers and prospects with easy access to our Compliance Artifacts and Documentation.

Trust Profile

Cresta maintains NDA and Non-NDA Trust Profiles.

NDA-Level Profile

Reports:

  • SOC 2 Type II
  • HIPAA/HITECH Type I

Penetration Test Summary Report:

  • Real-Time Agent Assist for Chat
  • Real-Time Agent Assist for Voice

Standardized Security Questionnaires:

  • SIG Lite
  • VSA
Certificate of Insurance

Architecture Diagrams:

  • Cresta Real-Time Agent Assist for Chat
  • Cresta Real-Time Agent Assist for Voice

Whistic self-service NDA profile

Non-NDA Profile

Certificates:

  • ISO/IEC 27001:2013 Certificate
  • ISO/IEC 27701:2019 Certificate
PCI-DSS Attestation of Compliance (AoC)

Standardized Security Questionnaire:

  • CSA CAIQ

Whistic self-service Non-NDA profile

Note:

If you do not have a Whistic account, you are required to create an account in order to access the documentation. If you’re registered and still having problems accessing either or both of the above-mentioned profiles, please contact [email protected].

Architecture And Cloud Hosting

hosting-img
Data Hosting

Cresta’s products are primarily hosted in Amazon Web Services ("AWS") and Google Cloud Platform ("GCP") data centers in the United States. AWS, GCP, and their services used to host Cresta’s platform are independently audited by accredited third parties.
• More information about AWS’ Compliance Program can be found here.
• More information about GCP’s Compliance Program can be found here.

hosting-img
Data Segregation

Cresta separates tenant data using unique logical identifiers assigned to each customer. Any time an application object is changed or created, the object is automatically linked to the customer’s account using the unique logical identifier. Additionally, Cresta logically segregates the development and production environments.

hosting-img
Data Center Physical and Environmental Security

Cresta personnel do not have access to the AWS/GCP data center cages where Cresta’s products are hosted. All physical and environmental security controls such as camera surveillance systems, uninterruptible power supply (UPS), etc. for the AWS/GCP data centers are administered by AWS/GCP personnel.
• More information about AWS’ Data Center Controls can be found here.
• More information about GCP’ Data Center Controls can be found here.

hosting-img
Vendor Risk Management

Prior to procurement, all new third party vendors are required to undergo a vendor assessment conducted by members from IT, Security and Compliance, Finance, and Legal. Vendors who are risk-ranked high or critical per our Third Party Vendor Classification and Risk Management Policy may be subject to annual assessments.

Sub-Processors

(Last Updated: September 6, 2022)
Cresta uses certain third party sub-processors to assist in the delivery and hosting of Cresta’s products and services. These sub-processors have or may have access to or process Customer Content. All sub-processors are reviewed and assessed at least annually by the Security and Compliance team.

Cresta’s current sub-processors are as follows:
Entity Name Purpose Applicable Product(s) Entity Country
Amazon Web Services, Inc. (AWS) Cloud Hosting Service Provider
  • Cresta Real-Time Agent Assist for Chat
  • Cresta Real-Time Agent Assist for Voice
  • Cresta Director
  • Cresta Insights
United States
DataDog, Inc. Logging and Monitoring Service Provider
  • Cresta Real-Time Agent Assist for Chat
  • Cresta Real-Time Agent Assist for Voice
  • Cresta Director
  • Cresta Insights
United States
Deepgram, Inc Automated Speech Recognition Service
  • Cresta Real-Time Agent Assist for Voice
United States
FullStory, Inc Session Replay and Debugging Provider
  • Cresta Real-Time Agent Assist for Chat
  • Cresta Real-Time Agent Assist for Voice
  • Cresta Director
  • Cresta Insights
United States
Segment.io, Inc. Analytics Provider
  • Cresta Real-Time Agent Assist for Chat
  • Cresta Real-Time Agent Assist for Voice
  • Cresta Director
  • Cresta Insights
United States
Optimizely, Inc. Feature Toggle and Experimentation Provider
  • Cresta Real-Time Agent Assist for Chat
  • Cresta Real-Time Agent Assist for Voice
  • Cresta Director
  • Cresta Insights
United States
Hex.Tech Analytics Provider
  • Cresta Real-Time Agent Assist for Chat
  • Cresta Real-Time Agent Assist for Voice
  • Cresta Director
  • Cresta Insights
United States
Google, Inc. Cloud Hosting Provider
  • Cresta Chatbot
United States
OpenAI, Inc. Natural Language API Service
  • Cresta Real-Time Agent Assist for Chat
  • Cresta Real-Time Agent Assist for Voice
  • Cresta Director
  • Cresta Insights
United States
Mixpanel, Inc. Product Analytics Provider
  • Cresta Real-Time Agent Assist for Chat
  • Cresta Real-Time Agent Assist for Voice
  • Cresta Director
  • Cresta Insights
  • Cresta Chatbot
United States
MORE

Cloud Security

Cloud Security
sec-img1
Network Vulnerability Scanning

Cresta performs monthly vulnerability scans on all infrastructure components and public-facing web pages. Identified vulnerabilities are validated, triaged, and assigned to the appropriate team for remediation.

sec-img1
Intrusion Detection

Cresta monitors for unauthorized intrusions using traffic monitoring and threat detection systems. Alerts are predefined and continually configured to alert and notify on-call Security personnel of potential incidents.

sec-img1
Logical Access Controls

Access to the Cresta production network requires multiple authentication factors, is limited to authorized personnel with a need-to-know, and is frequently reviewed and monitored for appropriateness. Any modifications or changes to personnel roles and permissions for production systems must have a documented ticket and appropriate approvals prior to being granted access. Terminated personnel are removed from production and other corporate systems in a timely manner.

sec-img1
Security Incident Response

Ongoing monitoring, alerts, incident response plans, and internal communication channels have been established to investigate, mitigate, and respond to potential or confirmed security incidents. Cresta also conducts annual security incident response tabletop exercises to train relevant personnel and leadership on their roles and responsibilities during a security incident.

Cloud Security

Encryption
sec-img1
Data in Transit

All data in transit over public networks is encrypted via HTTPS using a TLS 1.2 (or higher) encryption standard. Ciphers and protocols are reviewed regularly to ensure the safeguard of data in transit.

sec-img1
Data at Rest

All data at rest is encrypted with the Advanced Encryption Standard (AES) algorithm and 256-bit encryption keys (inclusive of backups).

sec-img1
Key Management

We use our Hosting Providers' Key Management Service ("KMS") to create and manage cryptographic keys and control their use across our services. These KMS services use hardware security modules to protect our keys, furthermore we have detailed logs stored in central repositories that provide usage data on all of our keys.

Cloud Security

Availability and Continuity
sec-img1
Redundancy

Cresta's infrastructure uses managed Kubernetes Service to easily run and manage Cresta’s family of products. This service allows Cresta to automatically scale its service up and down depending on traffic load across multiple Availability Zones (“AZs”) allowing for high availability and resiliency of the platform.

sec-img1
Backup Management

Cresta performs daily backups of customer data. These backups are retained across multiple Availability Zones (AZs) and encrypted at rest using Advanced Encryption Standard (AES-256).

sec-img1
Business Continuity and Disaster Recovery

Cresta maintains and annually updates its Business Continuity and Disaster Recovery plans to minimize business and service disruption in the event of a disaster. These plans, including restoration from the last known-good backup, are tested at least annually.

Application / Platform Security

Secure Development Lifecycle (SDLC)

Cresta leverages static application security testing, dependency monitoring, as well as code reviews to remediate and prevent vulnerabilities in code. Additionally, every developer participates in a security training during onboarding.

Vulnerability Management

In order to track, assess risk and prioritize vulnerability remediation, Cresta maintains a vulnerability management program utilizing the Common Vulnerability Scoring System (CVSS) and the OWASP risk rating methodology.

Penetration Testing

Cresta undergoes annual penetration tests by reputable third parties. In addition to that, Cresta's Security team is regularly assessing its products according to the OWASP Top 10 and the Application Security Verification Standard (ASVS).

Vulnerability Disclosure

Cresta values the information security community and encourages security researchers to participate in our responsible vulnerability disclosure program. To report a vulnerability, please contact us at [email protected](PGP). Every vulnerability report is triaged and assessed within 24hours during business days.

Human Resources and Endpoint Security

  • Background Checks

    Cresta performs background checks on all new employees and contractors in accordance with local laws.

  • Confidentiality Agreements

    All employees and contractors are required to sign a Confidentiality Agreement or Non-Disclosure Agreement upon hire.

  • Policies

    All information security policies and procedures are reviewed and updated by the Security and Compliance team at least annually. Any changes or updates to these policies are communicated and must be acknowledged by all employees and contractors (with access to sensitive systems and data). Employees or contractors found to be in violation of the information security policies may be subject to disciplinary action, up to and including termination of employment, or contractual agreement.

  • Training and Awareness

    All employees and contractors (with access to sensitive systems and data) are required to attend security awareness training upon hire and annually thereafter. Additional security awareness notifications and updates from the Security and Compliance team are sent to employees and contractors as necessary.

  • Endpoints

    All Cresta employee and contractor endpoints are centrally managed by our IT team. At a minimum, every endpoint has enforced controls such as a password-protected screen saver, automatic lockout after predefined inactivity, anti-virus/anti-malware software, and hard disk encryption.