Security

Our Commitment to Security

At Crittiks, security is not an afterthought. It's built into every layer of our platform. We understand that you trust us with your most sensitive business data, and we take that responsibility seriously. Our security program follows industry best practices and is continuously updated to address emerging threats.

We maintain a multi-layered security approach that combines advanced technology, rigorous processes, and ongoing monitoring to protect your data from unauthorized access, disclosure, alteration, or destruction.

Data Encryption

We use industry-standard encryption to protect your data at every stage:

• In Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3 (Transport Layer Security) with 256-bit encryption. This ensures that no one can intercept or read your data while it's being transmitted.
• At Rest: All data stored in our databases is encrypted using AES-256 encryption. This includes your files, messages, project data, and personal information.
• Backup Encryption: All backup data is encrypted using the same standards as production data, ensuring your information remains protected even in archived states.

Infrastructure Security

Our infrastructure is built on industry-leading cloud providers with robust security measures:

• Cloud Hosting: We host Crittiks on secure, SOC 2 Type II certified infrastructure with 99.9% uptime SLA
• Network Segmentation: Our infrastructure uses network segmentation to isolate sensitive systems and limit potential attack surfaces
• DDoS Protection: Advanced DDoS protection and mitigation systems protect against distributed denial-of-service attacks
• Firewall Protection: Multi-layer firewalls monitor and control incoming and outgoing network traffic
• Intrusion Detection: Real-time intrusion detection and prevention systems (IDS/IPS) monitor for suspicious activity

Access Controls

We implement strict access controls to ensure only authorized individuals can access your data:

• Multi-Factor Authentication (MFA): Support for two-factor authentication to add an extra layer of security to your account
• Role-Based Access Control (RBAC): Granular permission systems ensure users only have access to the data they need
• Single Sign-On (SSO): Enterprise SSO support for centralized authentication management
• Session Management: Automatic session timeouts and secure session token management
• IP Whitelisting: Option to restrict access to specific IP addresses for enhanced security

Application Security

We follow secure development practices to prevent vulnerabilities:

• Secure Coding Standards: Our development team follows OWASP Top 10 guidelines and secure coding best practices
• Code Reviews: All code changes undergo peer review and security review before deployment
• Vulnerability Scanning: Automated vulnerability scanning runs continuously on our codebase
• Penetration Testing: Regular third-party penetration testing to identify and address potential security weaknesses
• Security Updates: Regular security patches and updates to all system components
• Input Validation: Comprehensive input validation and sanitization to prevent injection attacks

Data Backup and Recovery

We maintain robust backup and disaster recovery procedures:

• Automated Backups: Daily automated backups of all customer data with point-in-time recovery capabilities
• Geographic Redundancy: Backups are stored in multiple geographic locations to protect against regional failures
• Backup Testing: Regular testing of backup restoration procedures to ensure data can be recovered quickly
• Disaster Recovery Plan: Comprehensive disaster recovery plan with defined RTO (Recovery Time Objective) and RPO (Recovery Point Objective)
• Data Retention: Backup retention policies ensure we can restore data from multiple time points

Monitoring and Incident Response

We maintain 24/7 monitoring and have established incident response procedures:

• 24/7 Monitoring: Around-the-clock monitoring of our systems for security threats and anomalies
• Security Information and Event Management (SIEM): Advanced logging and analysis of security events
• Incident Response Team: Dedicated security team trained to respond to security incidents
• Incident Response Plan: Documented procedures for identifying, containing, and resolving security incidents
• Breach Notification: Commitment to notify affected users within 72 hours of discovering a data breach

Employee Security

Our employees are trained and vetted to maintain the highest security standards:

• Background Checks: All employees undergo background checks before being granted access to systems
• Security Training: Regular security awareness training for all employees
• Least Privilege Access: Employees only have access to the systems and data necessary for their role
• Confidentiality Agreements: All employees sign confidentiality and data protection agreements
• Access Revocation: Immediate access revocation upon employee termination

Compliance and Certifications

We adhere to industry standards and regulations:

• GDPR Compliance: Full compliance with the General Data Protection Regulation. See our GDPR page for details.
• SOC 2 Type II: Working towards SOC 2 Type II certification for our security, availability, and confidentiality controls
• ISO 27001: Following ISO 27001 information security management standards
• Privacy Shield: Adherence to international data transfer frameworks
• Australian Privacy Act: Compliance with Australian Privacy Principles (APPs)

Security Best Practices for Users

While we provide robust security measures, you can take additional steps to protect your account:

• Enable multi-factor authentication (MFA) on your account
• Use strong, unique passwords (minimum 12 characters with mixed case, numbers, and symbols)
• Avoid sharing login credentials with team members (instead, create separate accounts for each user)
• Review user permissions regularly and remove access for former team members
• Be cautious of phishing attempts and never share your password via email or chat
• Keep your devices and browsers up to date with the latest security patches
• Log out from shared or public computers after using Crittiks
• Monitor your account activity and report any suspicious behavior immediately

Responsible Disclosure

We welcome security researchers and users who discover potential vulnerabilities:

• If you discover a security vulnerability, please report it to security@crittiks.com
• Provide detailed information about the vulnerability, including steps to reproduce
• Allow us reasonable time to investigate and address the issue before public disclosure
• We commit to acknowledging your report within 48 hours and providing updates on resolution

Contact Our Security Team

If you have questions about our security practices or need to report a security concern: