Security

Your data is in safe hands. Our platform and application use leading enterprise-grade security to protect your information at all costs.

Security image
icons

Datacenter compliance

Our Infrastructure is housed on Google Cloud Platform (GCP) and is compliant with the highest international security standards, SOC 2, ISO 9001, and ISO 27001. All payments are processed through Stripe, which is PCI-DSS Level 1 compliant.

PCI-DSS

We use Stripe -- which is PCI-DSS certified -- to process all payments. craft.io’s system operates on Google Cloud Platform, which is ISO 27001, SOC-2 and FedRamp certified.

ISO 27001:2013

craft.io deploys industry standard security controls and is ISO 27001:2013 certified, we’ve based the platform’s Information Security Management System controls on ISO 27001 and SOC-2 principles.

Built-in security and reliability

Above our hosting platform, we provide exceptional security features including Single Sign-On (SSO), Multi-Factor Authentication (MFA), six-level user permissions, data encryption at rest, and passwords for LiveShare views. When it comes to backing up your data, you’ll have access to activity streams, a history of all changes, and data backup through CSV files.

Penetration Tests

craft.io uses third party experts to perform periodic Penetration Tests to its production environment, in order to verify that security is maintained at the highest possible standards. Both Application level and Infrastructure level threats are explored to understand whether new vulnerabilities are applicable and to provide a comprehensive view of craft.io’s protection mechanisms.

Encryption

craft.io encrypts all data in transit using TLS with 256 bit AES encryption. Our server scores “A” on Qualys SSL Labs‘ tests. Data-at-rest is encrypted using AES-256 encryption

Identification and Authentication

Access to the production environment is limited to a small team of employees, as per their job requirements. Access requires the use of 2-Factor Authentication, which necessitates a robust login process consisting of a strong password and a one-time code provided by Google Authenticator.

Back Up

craft.io data is backed-up to a separate, secure environment for improved Availability and Data Integrity in case of a malfunction scenario.

Auditing and Logging

craft.io maintains logs of all of its systems and services, and audits these logs frequently as a supplementary control to its other security and access control mechanisms.

Disaster Recovery and Business Continuity

craft.io’s service was designed to overcome various disaster scenarios, and utilizes GCP’s cloud resilience as well as efficient internal processes to recover quickly and smoothly.

Logical Access

craft.io allows access to its Production network according to the least-privilege, need-to-work principle. Access is logged and reviewed frequently, to maintain close control of protection and data access.

DDoS Mitigation

craft.io’s use of GCP’s DDOS protection mechanisms, as well as its multi-region and multi-zone capabilities, allows craft.io to provide DDoS-protected services.

Intrusion Detection and Prevention

craft.io uses Intrusion Detection capabilities to monitor and detect security incidents. If and when a suspected intrusion is detected, craft.io operates according to its ISO-27001-compliant Incident Response process.

Physical Security & Data Hosting

craft.io uses Google Cloud Platform data centers in the United States and the EU. GCP’s physical security is known to be the market gold standard, and is audited as part of GCP’s SOC-2 and ISO 27001 certification.

Cloud Security

craft.io’s security and availability architecture is designed according to ISO 27001 and SOC-2 principles, and is implemented based on industry best practices.

IP Whitelisting

craft.io can be configured to only allow access from designated IP address ranges. These restrictions can be applied to all users.

Uptime

craft.io has 99% or higher uptime.

Password and Credential Storage

craft.io enforces a password complexity standard, and encrypts stored passwords.

Role-Based Access Controls

Access to data within the craft.io application is governed by role-based access controls (RBAC). craft.io has various predefined roles : Account Owner, Workspace Owner, Workspace Admin, Team Leader, Editor, Contributor.

SSO

craft.io offers SAML 2.0 Single Sign-on (SSO) to enable seamless integration with your existing identity solutions: OKTA, Google Workspace, Active Directory, Ping Identity, and any SAML 2.0 compatible solution.

Application security

To make sure all communication is secure we use HTTPS and 25g-bit AES encryption, Multi-Factor Authentication, and private portals.

Separate Environments

The Testing environment is completely separated from the Production environment. No Customer or Production Data is used in our development or test environments.

Quality Assurance

All code developed at craft.io undergoes strict automatic and manual quality assurance testing, to ensure it is correct, efficient and free of security vulnerabilities.

Code Reviews

All code packages undergo Code Reviews before being allowed to merge into craft.io’s main code branch, thus ensuring a clean, controlled and high-level code base.

Secure Software Development Life Cycle

craft.io’s software is developed using a structured development process, integrating security and privacy-by-design at all stages of the life cycle. All developers receive annual Secure Development training, covering security architecture, secure coding and OWASP top 10 threats.

Operational security

We’re committed to protecting your data by meeting GDPR compliance. For peace of mind, our system infrastructure is protected from unauthorized access by firewall and network services. Only our senior IT staff will have access to customer data when providing customer support and we prevent any potential system vulnerabilities through our ongoing network and web application scanning.

Training

All craft.io employees take part in yearly Security Awareness training sessions and while completing their onboarding process.

Policies

All craft.io employees read and sign its ISO-27001-certified Information Security Policy and Acceptable Use Policy.

Confidentiality

All craft.io employees sign confidentiality agreements as part of their employment contracts.

Helping enterprises thrive