Craft.io Security

Your product plans and data are one of your organization’s best kept secrets. That’s why we built Craft.io using the strictest security protocols in the industry. Hundreds of companies around the world trust Craft.io to keep their product plans and data safe and secure, so you can rest assured that your sensitive data is protected with us. 

Compliance

ISO 27001:2013

Craft.io deploys industry standard security controls and is ISO 27001:2013 certified, we’ve based the platform’s Information Security Management System controls on ISO 27001 and SOC-2 principles.

PCI-DSS

We use Stripe -- which is PCI-DSS certified -- to process all payments.


Craft.io’s system operates on Google Cloud Platform, which is ISO 27001, SOC-2 and FedRamp certified.

Product security & reliability

Craft.io’s security goes above and beyond the mechanisms provided by our hosting environment. We’ve added exceptional security and control through the addition of multi-tiered layers of security within the platform itself:

SSO

Craft.io offers SAML 2.0 Single Sign-on (SSO) to enable seamless integration with your existing identity solutions: OKTA, Google Workspace, Active Directory, Ping Identity, and any SAML 2.0 compatible solution. 

Role-Based Access Controls 

Access to data within the Craft.io application is governed by role-based access controls (RBAC). Craft.io has various predefined roles : Account Owner, Workspace Owner, Workspace Admin, Team Leader, Editor, Contributor.

Password and Credential Storage 

Craft.io enforces a password complexity standard, and encrypts stored passwords. 

Uptime 

Craft.io has 99% or higher uptime.

IP Whitelisting 

Craft.io can be configured to only allow access from designated IP address ranges. These restrictions can be applied to all users.

Cloud Security 

Craft.io’s security and availability architecture is designed according to ISO 27001 and SOC-2 principles, and is implemented based on industry best practices. 

Physical Security & Data Hosting 

Craft.io uses Google Cloud Platform data centers in the United States. GCP’s physical security is known to be the market gold standard, and is audited as part of GCP’s SOC-2 and ISO 27001 certification.

Intrusion Detection and Prevention 

Craft.io uses Intrusion Detection capabilities to monitor and detect security incidents. If and when a suspected intrusion is detected, Craft.io operates according to its ISO-27001-compliant Incident Response process.

DDoS Mitigation 

Craft.io’s use of GCP’s DDOS protection mechanisms, as well as its multi-region and multi-zone capabilities, allows Craft.io to provide DDoS-protected services. 

Logical Access 

Craft.io allows access to its Production network according to the least-privilege, need-to-work principle. Access is logged and reviewed frequently, to maintain close control of protection and data access.

Disaster Recovery and Business Continuity 

Craft.io’s service was designed to overcome various disaster scenarios, and utilizes GCP’s cloud resilience as well as efficient internal processes to recover quickly and smoothly.

Auditing and Logging

Craft.io maintains logs of all of its systems and services, and audits these logs frequently as a supplementary control to its other security and access control mechanisms.

Back Up

Craft.io data is backed-up to a separate, secure environment for improved Availability and Data Integrity in case of a malfunction scenario.

Identification and Authentication

Access to the production environment is limited to a small team of employees, as per their job requirements. Access requires the use of 2-Factor Authentication, which necessitates a robust login process consisting of a strong password and a one-time code provided by Google Authenticator.

Encryption

Craft.io encrypts all data in transit using TLS with 256 bit AES encryption. Our server scores “A” on Qualys SSL Labs‘ tests. 

Data-at-rest is encrypted using AES-256 encryption.

Penetration Tests

Craft.io uses third party experts to perform periodic Penetration Tests to its production environment, in order to verify that security is maintained at the highest possible standards. Both Application level and Infrastructure level threats are explored to understand whether new vulnerabilities are applicable and to provide a comprehensive view of Craft.io’s protection mechanisms.

Application Security

Craft.io practices extensive processes and controls to ensure application security. All Craft.io engineers make use of common best practices as defined by standards like OWASP and NIST throughout all stages of development.  

Secure Software Development Life Cycle 

Craft.io’s software is developed using a structured development process, integrating security and privacy-by-design at all stages of the life cycle.


All developers receive annual Secure Development training, covering security architecture, secure coding and OWASP top 10 threats. 

Code Reviews

All code packages undergo Code Reviews before being allowed to merge into Craft.io’s main code branch, thus ensuring a clean, controlled and high-level code base.

Quality Assurance 

All code developed at Craft.io undergoes strict automatic and manual quality assurance testing, to ensure it is correct, efficient and free of security vulnerabilities.

Separate Environments 

The Testing environment is completely separated from the Production environment. No Customer or Production Data is used in our development or test environments.

HR Security

Employee Screening

All new Craft.io employees are subjected to background checks in accordance with local, federal and state laws. 


Confidentiality 

All Craft.io employees sign confidentiality agreements as part of their employment contracts.

Policies 

All Craft.io employees read and sign its ISO-27001-certified Information Security Policy and Acceptable Use Policy.

Training 

All Craft.io employees take part in yearly Security Awareness training sessions and while completing their onboarding process.

Privacy

Review our Privacy Policy to learn about our policies regarding the collection, use and disclosure of personal data when you use our Service.


Thousands of product managers trust Craft.io worldwide

See what our customers say about Craft.io:

"Craft.io is the perfect product for product managers. It makes it very easy to manage your products all the way from Strategy to detailed implementation lifecycles."

Abhijit Dev

Lead Product Manager, IMImobile

״Craft.io supports the entire product management life cycle with a rich and easy to use interface. The kanban boards are well designed and implemented.״

Paul Davis

Product Manager, Cornell University

"Product Management, easier. It’s also a clearly modern web app, unlike most of its competitors. You can easily create stories and issues out of notes."

Alexander Holley

Product Owner, Artos Systems

Ready to build great products?

support@craft.io

Copyright © 2020. All rights reserved.