Cresta Security and Data Privacy
Our enterprise-grade security and data privacy program is designed to keep your customer data safe and secure. We rely on industry best practices, security product features, and comprehensive audits of our applications, systems, and networks to ensure that your data is always protected. Here is an introduction to Cresta’s security and data privacy practices.
Customers that utilize Cresta’s products may be considered a “Business” under the California Consumer Privacy Act (CCPA) and are responsible for ensuring that any processing of personal information is compliant with relevant data protection regulations, such as the CPRA. In relation to CCPA, Cresta is a “Service Provider” and “Contractor” and affirms that it will not:
- Sell or share your Business’ personal information or your end-users’ personal information
- Only retain, use, or disclose your Business’ personal information or your end-users’ personal information to the Sub-Processors listed below, who shall also comply with the CPRA
- Not retain, use, or disclose your Business’ personal information outside of the scope of the agreement we maintain with you
- Combine personal information in violation of the CPRA.
Customers that utilize Cresta’s products to collect and store personal data of EU citizens are considered data controllers under the European General Data Protection Regulation (GDPR). Cresta, as a data processor, can facilitate GDPR compliance through its Data Processing Addendum (DPA) which is designed to enable data transfers under the GDPR.
Cresta has met the requirements of the United States Health Insurance Portability and Accountability Act of 1996 (HIPAA) as a Business Associate. Please refer here for more information about Cresta’s HIPAA-eligible products and configuring your account for HIPAA.
Compliance Artifacts and Documentation
Cresta maintains a partnership with SafeBase to provide existing customers and prospects with easy access to our Compliance Artifacts and Documentation.
Cresta maintains a Trust Center with SafeBase that allows you frictionless access to our security & compliance documentation. You can access it on trust.cresta.com.
Architecture And Cloud Hosting
Cresta’s products are primarily hosted in Amazon Web Services ("AWS") and Google Cloud Platform ("GCP") data centers in the United States. AWS, GCP, and their services used to host Cresta’s platform are independently audited by accredited third parties.
• More information about AWS’ Compliance Program can be found here.
• More information about GCP’s Compliance Program can be found here.
Cresta separates tenant data using unique logical identifiers assigned to each customer. Any time an application object is changed or created, the object is automatically linked to the customer’s account using the unique logical identifier. Additionally, Cresta logically segregates the development and production environments.
Data Center Physical and Environmental Security
Cresta personnel do not have access to the AWS/GCP data center cages where Cresta’s products are hosted. All physical and environmental security controls such as camera surveillance systems, uninterruptible power supply (UPS), etc. for the AWS/GCP data centers are administered by AWS/GCP personnel.
• More information about AWS’ Data Center Controls can be found here.
• More information about GCP’ Data Center Controls can be found here.
Vendor Risk Management
Prior to procurement, all new third party vendors are required to undergo a vendor assessment conducted by members from IT, Security and Compliance, Finance, and Legal. Vendors who are risk-ranked high or critical per our Third Party Vendor Classification and Risk Management Policy may be subject to annual assessments.
Cresta uses certain third party sub-processors to assist in the delivery and hosting of Cresta’s products and services. These sub-processors have or may have access to or process Customer Content. All sub-processors are reviewed and assessed at least annually by the Security and Compliance team.
Cresta’s current sub-processors can be requested on trust.cresta.com.
Network Vulnerability Scanning
Cresta performs monthly vulnerability scans on all infrastructure components and public-facing web pages. Identified vulnerabilities are validated, triaged, and assigned to the appropriate team for remediation.
Cresta monitors for unauthorized intrusions using traffic monitoring and threat detection systems. Alerts are predefined and continually configured to alert and notify on-call Security personnel of potential incidents.
Logical Access Controls
Access to the Cresta production network requires multiple authentication factors, is limited to authorized personnel with a need-to-know, and is frequently reviewed and monitored for appropriateness. Any modifications or changes to personnel roles and permissions for production systems must have a documented ticket and appropriate approvals prior to being granted access. Terminated personnel are removed from production and other corporate systems in a timely manner.
Security Incident Response
Ongoing monitoring, alerts, incident response plans, and internal communication channels have been established to investigate, mitigate, and respond to potential or confirmed security incidents. Cresta also conducts annual security incident response tabletop exercises to train relevant personnel and leadership on their roles and responsibilities during a security incident.
Data in Transit
All data in transit over public networks is encrypted via HTTPS using a TLS 1.2 (or higher) encryption standard. Ciphers and protocols are reviewed regularly to ensure the safeguard of data in transit.
Data at Rest
All data at rest is encrypted with the Advanced Encryption Standard (AES) algorithm and 256-bit encryption keys (inclusive of backups).
We use our Hosting Providers' Key Management Service ("KMS") to create and manage cryptographic keys and control their use across our services. These KMS services use hardware security modules to protect our keys, furthermore we have detailed logs stored in central repositories that provide usage data on all of our keys.
Cresta's infrastructure uses managed Kubernetes Service to easily run and manage Cresta’s family of products. This service allows Cresta to automatically scale its service up and down depending on traffic load across multiple Availability Zones (“AZs”) allowing for high availability and resiliency of the platform.
Cresta performs daily backups of customer data. These backups are retained across multiple Availability Zones (AZs) and encrypted at rest using Advanced Encryption Standard (AES-256).
Business Continuity and Disaster Recovery
Cresta maintains and annually updates its Business Continuity and Disaster Recovery plans to minimize business and service disruption in the event of a disaster. These plans, including restoration from the last known-good backup, are tested at least annually.
Application / Platform Security
Secure Development Lifecycle (SDLC)
Cresta leverages static application security testing, dependency monitoring, as well as code reviews to remediate and prevent vulnerabilities in code. Additionally, every developer participates in a security training during onboarding.
In order to track, assess risk and prioritize vulnerability remediation, Cresta maintains a vulnerability management program utilizing the Common Vulnerability Scoring System (CVSS) and the OWASP risk rating methodology.
Cresta undergoes annual penetration tests by reputable third parties. In addition to that, Cresta's Security team is regularly assessing its products according to the OWASP Top 10 and the Application Security Verification Standard (ASVS).
Cresta values the information security community and encourages security researchers to participate in our responsible vulnerability disclosure program. To report a vulnerability, please contact us at [email protected](PGP). Every vulnerability report is triaged and assessed within 24hours during business days.
Human Resources and Endpoint Security
Cresta performs background checks on all new employees and contractors in accordance with local laws.
All employees and contractors are required to sign a Confidentiality Agreement or Non-Disclosure Agreement upon hire.
All information security policies and procedures are reviewed and updated by the Security and Compliance team at least annually. Any changes or updates to these policies are communicated and must be acknowledged by all employees and contractors (with access to sensitive systems and data). Employees or contractors found to be in violation of the information security policies may be subject to disciplinary action, up to and including termination of employment, or contractual agreement.
Training and Awareness
All employees and contractors (with access to sensitive systems and data) are required to attend security awareness training upon hire and annually thereafter. Additional security awareness notifications and updates from the Security and Compliance team are sent to employees and contractors as necessary.
All Cresta employee and contractor endpoints are centrally managed by our IT team. At a minimum, every endpoint has enforced controls such as a password-protected screen saver, automatic lockout after predefined inactivity, anti-virus/anti-malware software, and hard disk encryption.