Cresta Security and Data Privacy
Our enterprise-grade security and data privacy program is designed to keep your customer data safe and secure. We rely on industry best practices, security product features, and comprehensive audits of our applications, systems, and networks to ensure that your data is always protected. Here is an introduction to Cresta’s security and data privacy practices.
Privacy
Customers that utilize Cresta’s products may be considered a “Business” under the California Consumer Privacy Act (CCPA) and are responsible for ensuring that any processing of personal information is compliant with relevant data protection regulations, such as the CPRA. In relation to CCPA, Cresta is a “Service Provider” and “Contractor” and affirms that it will not:
- Sell or share your Business’ personal information or your end-users’ personal information
- Only retain, use, or disclose your Business’ personal information or your end-users’ personal information to the Sub-Processors listed below, who shall also comply with the CPRA
- Process your Business’ personal information for any purpose other than those business purposes set forth in the CPRA or otherwise permitted by the California Privacy Protection Agency, as outlined in our Privacy Policy
- Not retain, use, or disclose your Business’ personal information outside of the scope of the agreement we maintain with you
- Combine personal information in violation of the CPRA.
For more information about our privacy practices and the ability to exercise your privacy rights under applicable data protection law, please refer to our Privacy Policy.
Customers that utilize Cresta’s products to collect and store personal data of EU citizens are considered data controllers under the European General Data Protection Regulation (GDPR). Cresta, as a data processor, can facilitate GDPR compliance through its Data Processing Addendum (DPA) which is designed to enable data transfers under the GDPR.
For more information about our privacy practices and the ability to exercise your privacy rights under applicable data protection law, please refer to our Privacy Policy.
Cresta has met the requirements of the United States Health Insurance Portability and Accountability Act of 1996 (HIPAA) as a Business Associate. Please refer here for more information about Cresta’s HIPAA-eligible products and configuring your account for HIPAA.
Trust Center
Compliance Artifacts and Documentation
Cresta maintains a partnership with SafeBase to provide existing customers and prospects with easy access to our Compliance Artifacts and Documentation.
Cresta maintains a Trust Center with SafeBase that allows you frictionless access to our security & compliance documentation. You can access it on trust.cresta.com.
Architecture And Cloud Hosting
Data Hosting
Cresta’s products are primarily hosted in Amazon Web Services ("AWS") and Google Cloud Platform ("GCP") data centers in the United States. AWS, GCP, and their services used to host Cresta’s platform are independently audited by accredited third parties.
• More information about AWS’ Compliance Program can be found here.
• More information about GCP’s Compliance Program can be found here.
Data Segregation
Cresta separates tenant data using unique logical identifiers assigned to each customer. Any time an application object is changed or created, the object is automatically linked to the customer’s account using the unique logical identifier. Additionally, Cresta logically segregates the development and production environments.
Data Center Physical and Environmental Security
Cresta personnel do not have access to the AWS/GCP data center cages where Cresta’s products are hosted. All physical and environmental security controls such as camera surveillance systems, uninterruptible power supply (UPS), etc. for the AWS/GCP data centers are administered by AWS/GCP personnel.
• More information about AWS’ Data Center Controls can be found here.
• More information about GCP’ Data Center Controls can be found here.
Vendor Risk Management
Prior to procurement, all new third party vendors are required to undergo a vendor assessment conducted by members from IT, Security and Compliance, Finance, and Legal. Cresta’s sub-processors are subject to annual assessments.
Sub-Processors
Cresta uses certain third party sub-processors to assist in the delivery and hosting of Cresta’s products and services. These sub-processors have or may have access to or process Customer Content. All sub-processors are reviewed and assessed at least annually by the Security and Compliance team.
Cresta’s current sub-processors can be requested on trust.cresta.com.
Cloud Security
Network Vulnerability Scanning
Cresta performs vulnerability scans on all infrastructure components. Identified vulnerabilities are validated, triaged, and remediated according to Cresta’s Vulnerability Management Program.
Intrusion Detection & Prevention
Cresta monitors for unauthorized intrusions using traffic monitoring and threat detection systems. Alerts are predefined and continually configured to alert and notify on-call Security personnel of potential incidents. potential incidents.
Logical Access Controls
Access to the Cresta production network requires multiple authentication factors, is limited to authorized personnel with a need-to-know, and is frequently reviewed and monitored for appropriateness. Any modifications or changes to personnel roles and permissions for production systems must have a documented ticket and appropriate approvals prior to being granted access. Terminated personnel are removed from production and other corporate systems in a timely manner.
Security Incident Response
Ongoing monitoring, alerts, incident response plans, and internal communication channels have been established to investigate, mitigate, and respond to potential or confirmed security incidents. Cresta also conducts annual security incident response tabletop exercises to train relevant personnel and leadership on their roles and responsibilities during a security incident.
Cloud Security
Data in Transit
All data in transit over public networks is encrypted via HTTPS using a TLS 1.2 (or higher) encryption standard. Ciphers and protocols are reviewed regularly to ensure the safeguard of data in transit.
Data at Rest
All data at rest is encrypted with the Advanced Encryption Standard (AES) algorithm and 256-bit encryption keys (inclusive of backups).
Key Management
We use our Hosting Providers' Key Management Service ("KMS") to create and manage cryptographic keys and control their use across our services. These KMS services use hardware security modules to protect our keys, furthermore we have detailed logs stored in central repositories that provide usage data on all of our keys.
Cloud Security
Redundancy
Cresta's infrastructure uses managed Kubernetes Service to easily run and manage Cresta’s family of products. This service allows Cresta to automatically scale its service up and down depending on traffic load across multiple Availability Zones (“AZs”) allowing for high availability and resiliency of the platform.
Backup Management
Cresta performs daily backups of customer data. These backups are retained across multiple Availability Zones (AZs) and encrypted at rest using Advanced Encryption Standard (AES-256).
Business Continuity and Disaster Recovery
Cresta maintains and annually updates its Business Continuity and Disaster Recovery plans to minimize business and service disruption in the event of a disaster. The Disaster Recovery plan, including restoration from the last known-good backup, is tested at least annually.
Application / Platform Security
Secure Development Lifecycle (SDLC)
Cresta leverages static application security testing, dependency monitoring, as well as code reviews to remediate and prevent vulnerabilities in code. Additionally, every developer participates in secure coding training.
Vulnerability Management
In order to track, assess risk and prioritize vulnerability remediation, Cresta maintains a vulnerability management program utilizing the Common Vulnerability Scoring System (CVSS).
Penetration Testing
Cresta undergoes annual penetration tests by reputable third parties. In addition to that, Cresta's Security team is regularly assessing its products according to the OWASP Top 10 and the Application Security Verification Standard (ASVS).
Vulnerability Disclosure
Cresta values the information security community and encourages security researchers to participate in our responsible vulnerability disclosure program. To report a vulnerability, please contact us at [email protected](PGP). Every vulnerability report is triaged and assessed within 24hours during business days.
Human Resources and Endpoint Security
-
Background Checks
Cresta performs background checks on all new employees and contractors in accordance with local laws.
-
Confidentiality Agreements
All employees and contractors are required to sign a Confidentiality Agreement or Non-Disclosure Agreement upon hire.
-
Policies
All information security policies and procedures are reviewed and updated by the Security and Compliance team at least annually. Any changes or updates to these policies are communicated and must be acknowledged by all employees and contractors (with access to sensitive systems and data). Employees or contractors found to be in violation of the information security policies may be subject to disciplinary action, up to and including termination of employment, or contractual agreement.
-
Training and Awareness
All employees and contractors (with access to sensitive systems and data) are required to attend security awareness training upon hire and annually thereafter. Additional security awareness notifications and updates from the Security and Compliance team are sent to employees and contractors as necessary.
-
Endpoints
All Cresta employee and contractor endpoints are centrally managed by our IT team. At a minimum, every endpoint has enforced controls such as a password-protected screen saver, automatic lockout after predefined inactivity, anti-virus/anti-malware software, and hard disk encryption.