Security and Privacy
Security Measures
Discover the steps we take at Craft to guarantee a secure environment for you and your team.
- Organizational Security
As we detailed in our Note about Data, we believe your data is your property. For us this means two distinct things. We do not sell your data to third parties or use it for advertising. We also put extensive effort into protecting your data from unwanted access to keep it yours. We have long been working with these principles in mind and we also went through third party audits to prove our commitment.
- Regular security training for all employees
- Continuous vulnerability scanning
- Regular third party penetration tests
- Data encryption at rest and in transit
- Security reviews at multiple stages of the software development lifecycle
- Should a data breach happen we will notify you within 72 hours of learning about it
- Data Encryption
To ensure your data is only accessed by authorised parties we use the principle of least privilege, meaning that employees only have the level of access absolutely necessary to perform their jobs. This principle is applied to all resources and information at Craft. stored at rest.
All data is stored encrypted in our database and it is also always encrypted when travelling through the network. Customer data can only leave this encrypted environment in special cases like supporting a customer request. All customer data is hosted by Amazon Web Services (AWS) which itself hosts has numerous security certifications and ensures the physical security of that data.
- Vendor Management
In order to provide our services we engage third parties to carry out a few data-processing activities that involve access to limited customer data. These organisations are called "sub-processors".
We have established a vendor management policy to be able to identify and minimise risk arising from working with other companies while also being able to utilise the powerful services they provide. We regularly review our sub-processors and the data we share with them to protect our customers of supply chain attacks.
We make sure that our vendors also adhere to security best practices and comply with industry standards such as SOC 2 and ISO 27001. This way we can eliminate the risk of your data being mishandled.
Compliance and Certifications
Craft is compliant with international frameworks and legal requirements to provide a safe place for your data.
- SOC 2
SOC 2 Type II compliance is a comprehensive and rigorous set of standards set by the American Institute of Certified Public Accountants (AICPA). This compliance verifies that a company's security systems are designed, implemented, and operating effectively to protect the confidentiality, integrity, and availability of customer information. The controls defined in the standard cover the whole operations of a company and any third parties it is working with.
By maintaining active SOC 2 Type II compliance, Craft is demonstrating its commitment to maintaining the utmost level of security to protect its clients' data. Through an annual audit, Craft proves that its security practices meet or exceed industry standards, including best practices for cybersecurity and adherence to regulatory compliance requirements.
- GDPR
We recognise the importance of safeguarding sensitive information and follow regulations in doing so. The General Data Protection Regulation (GDPR) governs the collection, storage, and use of personal information for companies operating within the European Union. As a responsible company, Craft adheres to the GDPR guidelines to maintain the privacy and security of its customers data. The GDPR mandates that companies must obtain explicit consent from customers to collect their data, restrict the processing of personal information to specific purposes, and ensure the security of the data they collect.
Craft takes these requirements seriously, and its operations are designed to align with these regulations. By aligning its operations with GDPR, Craft can assure its customers that their data is secure and will not be misused.
Request More Info
We're happy to provide additional security and privacy compliance documentation upon request.
Contact Customer Support