Log In
(443) 569-8262
Book Demo

Crelate Security Policy

Effective 11.05.2023

Where Client’s Data is processed or used automatically, Crelate meets specific requirements of data protection by utilizing security best practices. Crelate implements the following measures to protect personal data or other sensitive data categories.

SECURITY – TECHNICAL AND ORGANIZATIONAL MEASURES

 

Infrastructure and Physical Access Control

To help prevent unauthorized persons from gaining access to data processing systems where data is processed or used:

  1. Crelate leverages industry-leading data hosting, with all our services hosted in Microsoft Azure.
  2. Our production environment is hosted in Azure US West, and data storage is geo-replicated to Azure US East.
  3. Access to all data centers is strictly controlled. All data centers are equipped with 24x7x365 surveillance including perimeter, building, and server rack. Access incorporates a multi-tiered access approach and is reviewed periodically by separate security teams. Additionally, all providers have industry standard certifications, such as ISO27001, HIPAA, FedRAMP, SOC1 and SOC2.
  4. Data Center data wiping and destruction is compliant with NIST 800-88, and all destruction records are retained.

System Access Control

To help prevent data processing systems from being used without authorization:

  1. Administrative access to Crelate systems and services follows the principle of least privilege. Access to systems is based on job role and responsibilities. Crelate utilizes unique usernames/identifiers that are not permitted to be shared or re-assigned to another person.
  2. Fully Managed secure PaaS, Just-in-Time (JIT) Access, and multi-factor authentication (MFA) is used for access to internal support tools and product infrastructure.
  3. Bastion Hosts are used to log into infrastructure systems.
  4. Network access control lists (ACLs) and security groups are used to limit ingress and egress traffic from production infrastructure.
  5. Intrusion detection systems (IDS) are used to detect potential unauthorized access.
  6. Onboarding and offboarding processes are documented and followed consistently to ensure access is effectively managed to internal and externally hosted tools and systems.
  7. Single sign-on (SSO) functionality and MFA is leveraged as commercially reasonable.
  8. Network protections and layer segmentation are used to defend against distributed denial of service (DDoS) attacks, and other bot focused attack vectors.

Data Access Control

To help ensure authorized users entitled to use data processing systems have access only to the data to which they have a right of access, and that personal data cannot be read, copied, modified, or removed without authorization while processing or use and after storage:

  1. Crelate utilizes a password management system that enforces minimum password length, complexity, expiration time, and minimum last used.
  2. Employee workstations automatically lock after a period of inactivity, as reasonably determined by Crelate in accordance with industry standards. Systems log out users after a period of inactivity, as reasonably determined by Crelate in accordance with industry standards.
  3. Logs are centrally stored and indexed. Critical logs, as reasonably determined by Crelate in accordance with industry standards (such as security logs), are retained for at least one year.
  4. The Crelate patch management process helps to ensure that systems are patched at least once every month, unless commercially infeasible. Monitoring, alerting, and routine vulnerability scanning occurs to ensure that all product infrastructure is patched in accordance with Crelate’s then-current practices.
  5. Industry-standard antivirus software is utilized to ensure internal assets that access personal data are protected against known viruses. Antivirus software is updated regularly.
  6. Crelate utilizes firewall devices to segregate unwanted traffic from entering the network. A DMZ is utilized using firewalls to further protect internal systems protecting sensitive data.

Data Transmission Control

To help ensure that personal data cannot be read, copied, modified, or removed without authorization during electronic transmission or transport:

  1. Customer data is stored encrypted-at-rest using AES-256 encryption on block devices.
  2. Customer backups are encrypted-in-transit and at rest using strong encryption.
  3. Crelate supports TLS 1.2 to encrypt network traffic between the client application and Crelate infrastructure.
  4. Crelate performs annual risk assessments and third-party penetration tests on an annual basis, or as needed due to changes in the business.
  5. Crelate promptly reacts to responsible disclosure of vulnerabilities from community researchers.

Input Control

To help ensure that it is possible to check and establish whether and by whom personal data have been input into data processing systems, modified, or removed:

  1. Systems are monitored for security events to ensure quick resolution.
  2. Logs are centrally stored and indexed. Critical logs, as reasonably determined by Crelate (such as security logs), are retained for at least one year. Logs can be traced back to individual unique usernames with timestamps to investigate nonconformities or security events.

Availability Control

To help ensure personal data is protected from accidental destruction or loss:

  1. Account data is backed up at least daily. Incremental/point-in-time recovery is available for all primary databases. Backups are encrypted-in-transit and at rest using strong encryption.
  2. When necessary, Crelate patches infrastructure in an expedited manner in response to the disclosure of critical vulnerabilities to ensure system uptime is preserved.
  3. Customer environments are logically separated at all times. Customers are not able to access accounts other than those given authorization credentials for.

Incident Response

Crelate implements a formal incident response plan to help ensure thorough and complete resolution of information security events.

  1. All staff are trained on the policy and procedures should a security event occur.
  2. Detailed documentation is recorded detailing the event, classification, root cause analysis, mitigation, and lessons learned to prevent a similar event in the future.
  3. Should a data breach occur, Crelate will promptly notify affected parties via email, with details of the breach and the status of the mitigation.

Certification/assurance of processes and products

To help ensure internal IT and IT security governance and management as well as assurance of processes and products, Crelate conducts a rigorous internal security audit bi-annually, as well as the following third-party audits for:

  1. Security and Penetration Test
  2. ISO 27001 Certification
  3. SOC2 Type 2 Report
Crelate Recruiting

[email protected]
(443) 569-8262
PO Box 843
Bothell WA 98041

Facebook-square Twitter Youtube Instagram Linkedin

Product

About Us

Technology

Customers

By Industry

© 2024 Crelate – All Rights Reserved

Scroll to Top