Our enterprise-grade security program is designed to keep our customer data safe and secure. We rely on industry best practices, security product features, and comprehensive audits of our applications, systems, and networks to ensure that your data is always protected. Here is an introduction to Cresta’s security and data privacy practices.
With SOC 2 Type II compliance, Cresta has met rigorous requirements for security monitoring, including for known malicious activity and unknown malicious activity regarding customer data in the cloud.
PCI-DSS compliance is administered by the Payment Card Industry Security Standards Council, and reflects Cresta has met its stringent criteria for securing and protecting cardholder data.
Cresta is ISO 27001 certified. With regular third-party audits, we provide customers with total transparency around how we ensure the security of all Cresta and customer assets.
As a global leader in artificial intelligence and conversational intelligence, Cresta regularly invests in designing, managing, and improving privacy systems. Cresta is ISO27701 certified and enterprise-grade.
All Cresta servers reside within our virtual private cloud (VPC), access to which follows the principle of least privilege. Any and all access requires two-factor authentication (2FA). Each customer’s data and application instance runs on standalone infrastructure with network segregation. All traffic within our network is encrypted in transit, and all customer data is encrypted at rest.
Cresta engineering takes security very seriously. All code commits must be approved after a mandatory code review, along with examination by static analysis. Every developer undergoes security training as part of their onboarding process, and our security policies are audited annually. We follow industry best practices for patching software with known security vulnerabilities, and work with external researchers to help secure our software.
Cresta follows secure credential storage best practices by never storing passwords in human readable format, and only as the result of a secure, salted, one-way hash. Two-factor authentication, IP whitelisting, and SAML are made available to our customers for further restricting access to accounts.
Automatic redaction provides the ability to redact strings of numbers that match a valid credit card primary account number, social security numbers, and various PII. Cresta is CCPA compliant. Any access to customer data follows the principle of least privilege and role-based access control with extensive logging.
Cresta undergoes an annual penetration test by third-party experts, and maintains a vulnerability disclosure process to work with the extended security researcher community on helping us identify vulnerabilities in our software. To report a vulnerability, please contact us at email@example.com.