Your product plans and data are one of your organization’s best kept secrets. That’s why we built Craft.io using the strictest security protocols in the industry. Hundreds of companies around the world trust Craft.io to keep their product plans and data safe and secure, so you can rest assured that your sensitive data is protected with us.
Craft.io deploys industry standard security controls and is ISO 27001:2013 certified, we’ve based the platform’s Information Security Management System controls on ISO 27001 and SOC-2 principles.
We use Stripe -- which is PCI-DSS certified -- to process all payments.
Craft.io’s system operates on Google Cloud Platform, which is ISO 27001, SOC-2 and FedRamp certified.
Product security & reliability
Craft.io’s security goes above and beyond the mechanisms provided by our hosting environment. We’ve added exceptional security and control through the addition of multi-tiered layers of security within the platform itself:
Craft.io offers SAML 2.0 Single Sign-on (SSO) to enable seamless integration with your existing identity solutions: OKTA, Google Workspace, Active Directory, Ping Identity, and any SAML 2.0 compatible solution.
Role-Based Access Controls
Access to data within the Craft.io application is governed by role-based access controls (RBAC). Craft.io has various predefined roles : Account Owner, Workspace Owner, Workspace Admin, Team Leader, Editor, Contributor.
Password and Credential Storage
Craft.io enforces a password complexity standard, and encrypts stored passwords.
Craft.io has 99% or higher uptime.
Craft.io can be configured to only allow access from designated IP address ranges. These restrictions can be applied to all users.
Craft.io’s security and availability architecture is designed according to ISO 27001 and SOC-2 principles, and is implemented based on industry best practices.
Physical Security & Data Hosting
Craft.io uses Google Cloud Platform data centers in the United States. GCP’s physical security is known to be the market gold standard, and is audited as part of GCP’s SOC-2 and ISO 27001 certification.
Intrusion Detection and Prevention
Craft.io uses Intrusion Detection capabilities to monitor and detect security incidents. If and when a suspected intrusion is detected, Craft.io operates according to its ISO-27001-compliant Incident Response process.
Craft.io’s use of GCP’s DDOS protection mechanisms, as well as its multi-region and multi-zone capabilities, allows Craft.io to provide DDoS-protected services.
Craft.io allows access to its Production network according to the least-privilege, need-to-work principle. Access is logged and reviewed frequently, to maintain close control of protection and data access.
Disaster Recovery and Business Continuity
Craft.io’s service was designed to overcome various disaster scenarios, and utilizes GCP’s cloud resilience as well as efficient internal processes to recover quickly and smoothly.
Auditing and Logging
Craft.io maintains logs of all of its systems and services, and audits these logs frequently as a supplementary control to its other security and access control mechanisms.
Craft.io data is backed-up to a separate, secure environment for improved Availability and Data Integrity in case of a malfunction scenario.
Identification and Authentication
Access to the production environment is limited to a small team of employees, as per their job requirements. Access requires the use of 2-Factor Authentication, which necessitates a robust login process consisting of a strong password and a one-time code provided by Google Authenticator.
Craft.io encrypts all data in transit using TLS with 256 bit AES encryption. Our server scores “A” on Qualys SSL Labs‘ tests.
Data-at-rest is encrypted using AES-256 encryption.
Craft.io uses third party experts to perform periodic Penetration Tests to its production environment, in order to verify that security is maintained at the highest possible standards. Both Application level and Infrastructure level threats are explored to understand whether new vulnerabilities are applicable and to provide a comprehensive view of Craft.io’s protection mechanisms.
Craft.io practices extensive processes and controls to ensure application security. All Craft.io engineers make use of common best practices as defined by standards like OWASP and NIST throughout all stages of development.
Secure Software Development Life Cycle
Craft.io’s software is developed using a structured development process, integrating security and privacy-by-design at all stages of the life cycle.
All developers receive annual Secure Development training, covering security architecture, secure coding and OWASP top 10 threats.
All code packages undergo Code Reviews before being allowed to merge into Craft.io’s main code branch, thus ensuring a clean, controlled and high-level code base.
All code developed at Craft.io undergoes strict automatic and manual quality assurance testing, to ensure it is correct, efficient and free of security vulnerabilities.
The Testing environment is completely separated from the Production environment. No Customer or Production Data is used in our development or test environments.
All new Craft.io employees are subjected to background checks in accordance with local, federal and state laws.
All Craft.io employees sign confidentiality agreements as part of their employment contracts.
All Craft.io employees read and sign its ISO-27001-certified Information Security Policy and Acceptable Use Policy.
All Craft.io employees take part in yearly Security Awareness training sessions and while completing their onboarding process.
Thousands of product managers trust Craft.io worldwide
See what our customers say about Craft.io:
"Craft.io is the perfect product for product managers. It makes it very easy to manage your products all the way from Strategy to detailed implementation lifecycles."
Lead Product Manager, IMImobile
״Craft.io supports the entire product management life cycle with a rich and easy to use interface. The kanban boards are well designed and implemented.״
Product Manager, Cornell University
"Product Management, easier. It’s also a clearly modern web app, unlike most of its competitors. You can easily create stories and issues out of notes."