Our enterprise-grade security program is designed to keep our customer data safe and secure. We rely on industry best practices, security product features, and comprehensive audits of our applications, systems, and networks to ensure that your data is always protected. Here is an introduction to Cresta’s security and data privacy practices.
All Cresta servers reside within our virtual private cloud (VPC), access to which follows the principle of least privilege. Any and all access requires two-factor authentication (2FA). Each customer’s data and application instance runs on standalone infrastructure with network segregation. All traffic within our network is encrypted in transit, and all customer data is encrypted at rest.
Cresta engineering takes security very seriously. All code commits must be approved after a mandatory code review, along with examination by static analysis. Every developer undergoes security training as part of their onboarding process, and our security policies are audited annually. We follow industry best practices for patching software with known security vulnerabilities, and work with external researchers to help secure our software.
Cresta follows secure credential storage best practices by never storing passwords in human readable format, and only as the result of a secure, salted, one-way hash. Two-factor authentication, IP whitelisting, and SAML are made available to our customers for further restricting access to accounts.
Automatic redaction provides the ability to redact strings of numbers that match a valid credit card primary account number, social security numbers, and various PII. Cresta is CCPA compliant. Any access to customer data follows the principle of least privilege and role-based access control with extensive logging.
Cresta undergoes an annual penetration test by third-party experts, and maintains a vulnerability disclosure process to work with the extended security researcher community on helping us identify vulnerabilities in our software. To report a vulnerability, please contact us at firstname.lastname@example.org.