Security
Your data is in safe hands. Our platform and application use leading enterprise-grade security to protect your information at all costs.
Datacenter compliance
Our Infrastructure is housed on Google Cloud Platform (GCP) and is compliant with the highest international security standards, SOC 2, ISO 9001, and ISO 27001. All payments are processed through Stripe, which is PCI-DSS Level 1 compliant.
PCI-DSS
We use Stripe -- which is PCI-DSS certified -- to process all payments.
craft.io’s system operates on Google Cloud Platform, which is ISO 27001, SOC-2 and FedRamp certified.
ISO 27001:2013
craft.io deploys industry standard security controls and is ISO 27001:2013 certified, we’ve based the platform’s Information Security Management System controls on ISO 27001 and SOC-2 principles.
Built-in security and reliability
Above our hosting platform, we provide exceptional security features including Single Sign-On (SSO), Multi-Factor Authentication (MFA), six-level user permissions, data encryption at rest, and passwords for LiveShare views. When it comes to backing up your data, you’ll have access to activity streams, a history of all changes, and data backup through CSV files.
Penetration Tests
craft.io uses third party experts to perform periodic Penetration Tests to its production environment, in order to verify that security is maintained at the highest possible standards. Both Application level and Infrastructure level threats are explored to understand whether new vulnerabilities are applicable and to provide a comprehensive view of craft.io’s protection mechanisms.
Encryption
craft.io encrypts all data in transit using TLS with 256 bit AES encryption. Our server scores “A” on Qualys SSL Labs‘ tests.
Data-at-rest is encrypted using AES-256 encryption
Identification and Authentication
Access to the production environment is limited to a small team of employees, as per their job requirements. Access requires the use of 2-Factor Authentication, which necessitates a robust login process consisting of a strong password and a one-time code provided by Google Authenticator.
Back Up
craft.io data is backed-up to a separate, secure environment for improved Availability and Data Integrity in case of a malfunction scenario.
Auditing and Logging
craft.io maintains logs of all of its systems and services, and audits these logs frequently as a supplementary control to its other security and access control mechanisms.
Disaster Recovery and Business Continuity
craft.io’s service was designed to overcome various disaster scenarios, and utilizes GCP’s cloud resilience as well as efficient internal processes to recover quickly and smoothly.
Logical Access
craft.io allows access to its Production network according to the least-privilege, need-to-work principle. Access is logged and reviewed frequently, to maintain close control of protection and data access.
DDoS Mitigation
craft.io’s use of GCP’s DDOS protection mechanisms, as well as its multi-region and multi-zone capabilities, allows craft.io to provide DDoS-protected services.
Intrusion Detection and Prevention
craft.io uses Intrusion Detection capabilities to monitor and detect security incidents. If and when a suspected intrusion is detected, craft.io operates according to its ISO-27001-compliant Incident Response process.
Physical Security & Data Hosting
craft.io uses Google Cloud Platform data centers in the United States and the EU. GCP’s physical security is known to be the market gold standard, and is audited as part of GCP’s SOC-2 and ISO 27001 certification.
Cloud Security
craft.io’s security and availability architecture is designed according to ISO 27001 and SOC-2 principles, and is implemented based on industry best practices.
IP Whitelisting
craft.io can be configured to only allow access from designated IP address ranges. These restrictions can be applied to all users.
Uptime
craft.io has 99% or higher uptime.
Password and Credential Storage
craft.io enforces a password complexity standard, and encrypts stored passwords.
Role-Based Access Controls
Access to data within the craft.io application is governed by role-based access controls (RBAC). craft.io has various predefined roles : Account Owner, Workspace Owner, Workspace Admin, Team Leader, Editor, Contributor.
SSO
craft.io offers SAML 2.0 Single Sign-on (SSO) to enable seamless integration with your existing identity solutions: OKTA, Google Workspace, Active Directory, Ping Identity, and any SAML 2.0 compatible solution.
Application security
To make sure all communication is secure we use HTTPS and 25g-bit AES encryption, Multi-Factor Authentication, and private portals.
Separate Environments
The Testing environment is completely separated from the Production environment. No Customer or Production Data is used in our development or test environments.
Quality Assurance
All code developed at craft.io undergoes strict automatic and manual quality assurance testing, to ensure it is correct, efficient and free of security vulnerabilities.
Code Reviews
All code packages undergo Code Reviews before being allowed to merge into craft.io’s main code branch, thus ensuring a clean, controlled and high-level code base.
Secure Software Development Life Cycle
craft.io’s software is developed using a structured development process, integrating security and privacy-by-design at all stages of the life cycle.
All developers receive annual Secure Development training, covering security architecture, secure coding and OWASP top 10 threats.
Operational security
We’re committed to protecting your data by meeting GDPR compliance. For peace of mind, our system infrastructure is protected from unauthorized access by firewall and network services. Only our senior IT staff has will have access to customer data when providing customer support and we prevent any potential system vulnerabilities through our ongoing network and web application scanning.
Training
All craft.io employees take part in yearly Security Awareness training sessions and while completing their onboarding process.
Policies
All craft.io employees read and sign its ISO-27001-certified Information Security Policy and Acceptable Use Policy.
Confidentiality
All craft.io employees sign confidentiality agreements as part of their employment contracts.
Helping enterprises thrive
Product teams love craft.io
“craft.io makes it so easy to tie everything we do to OKRs and other metrics that it’s proving to be one of the most valuable tools in Kingfisher’s move to a product-led culture.”
Matt Jackson
Group Product Manager, Kingfisher
“The bar for what makes a great product gets higher every year. craft.io is a testament to that. We expect them to keep defining what it means to be at the cutting edge of product, not only in 2023 but also in the years to come.”
Founding CEO, Products That Count
“Now that we have a software solution designed specifically for product management, our agile teams are able to connect OKRs directly to items on their roadmaps and quickly weigh competing items by applying the prioritization models built right into craft.io.”
Product Management CoE, Fannie Mae
"craft.io is the first solution I’ve ever used that lets me do just about all of my product work in one environment. That saves me hours every week.”
Product Team Manager, AI21 labs
“Of all the benefits we’re receiving from craft.io, I think the most significant is being able to view, analyze, and share the same data in many different ways.”
VP of Products, Acolad
“... we extended the product delivery with the product discovery part, driven by insight from customers in one tool!!”
Lead Product Manager, SAP
"Everything on one place".
Scrum Master, Kimberly-Clark
“The full package for road mapping, feedback gathering tool that will truly enable any PM.”
Sr Product Manager, Radicle Balance
"At SaaS Awards, we were most impressed with craft.io's Guru layer, which provides teams with easy access to hundreds of best-practice templates and views."
Lead Judge, SaaS Awards
"craft.io offers the possibility to set up multiple views that adjust to your needs: roadmap prioritization, capacity planning, or simply demand intaking."
Product Owner eCommerce, Kimberly-Clark
“This tool is a one-stop-shop for product management. craft.io helped us stay on top of our product management work, but it has also helped us learn how to be a better product team.”
CEO & Co-Founder, blings.io
“With craft.io, we have an always-updated roadmap and a single source of truth that anyone in the company can view. I can’t overstate how valuable that is.”
Group Product Manager, quickbase
“You are pro-grade product managers. Delivering better outcomes and driving continuous improvement.”
Transformation Champion & Senior Marketing Leader, Kimberly-Clark
"…the best combination of stakeholder friendly and team friendly features on the market."
VP of Engineering, Social Native
craft.io is the perfect product for product managers. It makes it very easy to manage your products all the way from Strategy to detailed implementation lifecycles.
Lead Product Manager, IMImobile, Cornell University
Product Management, easier. It's also a clearly modern web app, unlike most of its competitors. You can easily create stories and issues out of notes.
Product Owner, Artos Systems
craft.io supports the entire product management life cycle with a rich and easy to use interface. The kanban boards are well designed and implemented.
Product Manager, Cornell University, Cisco
