All Cresta servers reside within our virtual private cloud (VPC), access to which follows the principle of least privilege. Any and all access requires two-factor authentication (2FA). Each customer’s data and application instance runs on standalone infrastructure with network segregation. All traffic within our network is encrypted in transit, and all customer data is encrypted at rest.
Cresta engineering takes security very seriously. All code commits must be approved after a mandatory code review, along with examination by static analysis. Every developer undergoes security training as part of their onboarding process, and our security policies are audited annually. We follow industry best practices for patching software with known security vulnerabilities, and work with external researchers to help secure our software.
Cresta follows secure credential storage best practices by never storing passwords in human readable format, and only as the result of a secure, salted, one-way hash. Two-factor authentication, IP whitelisting, and SAML are made available to our customers for further restricting access to accounts.
Automatic redaction provides the ability to redact strings of numbers that match a valid credit card primary account number, social security numbers, and various PII. Cresta is CCPA compliant. Any access to customer data follows the principle of least privilege and role-based access control with extensive logging.