Creately Security
We at Creately take privacy and security seriously. We make our best efforts to ensure that your data is protected. We know that it is a serious responsibility to host and manage your data and we do not take this lightly. We look at security as an ongoing journey not as a destination to reach and forget.
Compliance
Creately is SOC 2-Type 2 & ISO 27001:2013 certified. We maintain and manage these controls actively and are audited yearly for compliance.
The SOC 2 - Type 2 report is available on request under NDA for Enterprise customers.
Encryption and Key management
Encryption in transit
All customer data is encrypted in transit over public networks using Transport Layer Security (TLS) 1.2 or higher with Perfect Forward Secrecy (PFS) to prevent unauthorized disclosure or tampering. Creately’s implementation of TLS enforces the use of strong cipher encryption wherever it supports.
Our SSL servers scored an A+ on Qualys test.
Encryption at rest
- All document content is encrypted at rest with AES-256.
Backups and Reliability
- Our datastores are backed up every 24 hours.
- All our systems are fully redundant and clustered.
- We do periodical exercises to ensure that the disaster recovery process is smooth and capable of restoring the operations in a reasonable timeline.
Password Storage
- All our passwords are salted and hashed with multiple hash algorithms
Payments and Credit Card Data storage
- All payments made to Creately go through Chargebee who are PCI-DSS certified. We don’t store any of your card data or payment related information on our systems.
Data Center Security
Creately’s servers and your data are hosted in Amazon Web Services (AWS) data centres. Amazon has proper controls in place to assure physical and network security. AWS data centres are housed in nondescript facilities where physical access is strictly controlled both at the perimeter and at building access points by professional security staff, video surveillance, intrusion detection systems, and other electronic means. Access to their data centre floors requires two-factor authentication a minimum of two times.
AWS maintains multiple certifications for its data centers, ISO 27001 compliance, PCI Certification, and SOC reports. The reports and further details can be found at https://aws.amazon.com/security/.
Architectural Security
Creately had been designed with security in mind which is reflected in our network and server infrastructure, and application design. We include risk assessments in every SLDC phase considering security as a vital part of our architecture.
Network Security
- Creately practices a layered approach to network access with controls in each and every layer of the stack.
- We have implemented controls at each layer dividing our infrastructure by zones, environments and services.
- We have zone restrictions in place in our offices, data centres and platform network traffic. Segregated staging and production environments, whitelisted communication endpoints to ensure no compromisation.
- We control access to sensitive networks via Virtual Private Cloud (VPC) routing, firewall rules and software defined networking and all communications via end to end encryption.
- Staff connectivity is secured with device certificates, multi-factor authentication and use of proxies for sensitive network access. Access to customer data requires explicit review and approval.
- We have also implemented Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) in all our offices and production environments to identify and prevent potential security issues.
- We are monitoring our infrastructure and application / services 24/7. We also have set up alerts to identify any security breach attempts and downtime.
- We adhere to the best practices for OS and application patch management.
Operational Security & Practices
We give our day to day operations and practices the same priority as we give on securing our architecture.
Access to Customer Document Data
- Within our environment we treat all customer data as equally sensitive and have strict controls governing this data. We will not access the customer data without an explicit authorization from the owner of the data. All access to customer data is logged and audited internally.
- Within Creately, only authorized employees have access to the customer data stored within our systems. Authentication is done via individual passphrase protected public keys and the servers will accept incoming SSH connections from Createy Offices and internal data centre locations.
- We treat any inappropriate and/or unauthorized access to customer data as a security incident and manage it through our security incident process which includes instructions to notify affected customer(s) if a breach is observed.
Support Access
- Our support teams will only access customer information when necessary to resolve an open ticket and upon explicit customer request or consent.
Training/ Awareness
- Our security training and awareness is not held just for the compliance sake but to give broad knowledge and deep understanding on the security aspects of their work and day to day processes and practices.
- We don’t stop at the security awareness training for new hires. We conduct periodical training workshops on security issues and how to prevent / mitigate for continuous improvement.
Change Management
- We practice a change management process which informs and uses an approval workflow to get consent from stake-holders.
- All changes are peer-reviewed, and is part of our CI process.
- Our Continuous Integration (CI) tool will check and flag if any change once merged into the master branch will create issues through our integration, unit, functional or security tests.
Employee Recruitment
- We run background checks and other necessary security clearance when we onboard a new employee.
Security Incident Management
- Our security team aggregates logs from a number of sources in the infrastructure and makes use of a Security Information and Event Management (SIEM) platform to monitor and flag any suspicious activity.
- Our internal processes define how these alerts are triaged, investigated further and escalated appropriately.
Vulnerability Management
- Our security team performs on-going network and infrastructure vulnerability scans using an industry leading vulnerability scanner.
- We also use external security consulting firms to conduct penetration tests on infrastructure, web sites and apps whenever there is any new architectural design change or we set up our infrastructure in a new data centre.
- Internal processes are in place to review any reported vulnerabilities and mitigate / secure us against them. This process includes predefined timelines for patching the vulnerabilities based on their CVSS (v3.1) score.
Report a Vulnerability
We would greatly appreciate any effort you take to report a security vulnerability in Creately. You can contact support to report any concern or security incidents you may have, and we’ll work on it right away.