Creately Security

We at Creately take privacy and security seriously and take our best efforts to ensure that your data is protected. We know that it is a serious responsibility to host and manage your data and we do not take this lightly. We look at security as an ongoing journey not as a destination to reach and forget.

Encryption and Key management

Encryption in transit

  • All customer data is encrypted in transit over public networks using Transport Layer Security (TLS) 1.2 or higher with Perfect Forward Secrecy (PFS) to prevent unauthorized disclosure or tampering. Creately’s implementation of TLS enforces the use of strong cipher encryption wherever it supports.

  • Our SSL servers scored an A on Qualys test.

Encryption at rest

  • All document content is encrypted at rest with AES-256.

Backups and Reliability

  • Our datastores are backed every 24 hours.
  • All our systems are fully redundant and clustered.
  • We do periodical exercises to ensure that the disaster recovery process is smooth and capable of restoring the operations in the desired timeline.

Password Storage

  • All our passwords are salted and hashed with multiple hash algorithms

Payments and Credit Card Data storage

  • All payments made to Creately go through Chargebee and they are PCI-DSS certified. We don’t store any of your card data or payment related information on our systems.

Data Center Security

  • Creately’s servers and your data are hosted on Amazon Web Services (AWS) data centres and Amazon has proper controls in place to assure top of the trade physical and network security. AWS data centres are housed in nondescript facilities where physical access is strictly controlled both at the perimeter and at building access points by professional security staff, video surveillance, intrusion detection systems, and other electronic means. Access to their data centre floors requires two-factor authentication a minimum of two times.

  • AWS maintains multiple certifications for its data centers, ISO 27001 compliance, PCI Certification, and SOC reports. The reports and further details can be found at https://aws.amazon.com/security/.

Architectural Security

Creately had been designed with security in mind and that is being reflected in our network and server Infrastructure, and application design. We include the risk assessments in every design (phase?) considering security as a vital part of our architecture.

Network Security

  • Creately practices a layered approach to network access with controls in each and every layer of the stack.
  • We have implemented controls at each layer dividing our infrastructure by zones, environments and services.
  • We have zone restrictions in place in our offices, data centres and platform network traffic. Segregated staging and production environments, whitelisted communication endpoints to ensure no compromisation.
  • We control access to sensitive networks via Virtual Private Cloud (VPC) routing, firewall rules and software defined networking and all communications via end to end encryption.
  • Staff connectivity is secured with device certificates, multi-factor authentication and use of proxies for sensitive network access Access to customer data requires explicit review and approval
  • We have also implemented Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) in all our offices and production environments to identify and prevent potential security issues.
  • We are monitoring our infrastructure and application/ services 247. We also have set up alerts to identify the security breaches and downtime.
  • We adhere to the best practices for OS and Application patch management.

Operational Security & Practices

We give our day-today operations and practices the same priority as we give on securing our architecture.

Access to Customer Document Data

  • Within our environment we treat all customer data as equally sensitive and have strict controls governing this data. We will not access the customer data without an explicit authorization from the owner of the data. All access to customer data is logged and audited internally.
  • Within Creately, only authorized employees have access to the customer data stored within our systems. Authentication is done via individual passphrase protected public keys and the servers will accept incoming SSH connections from Createy Offices and internal data centre locations.
  • We treat any inappropriate and/or unauthorized access to customer data as a security incident and manage it through our security incident process which includes instructions to notify affected customer(s) if a breach is observed.

Support Access

  • Our support teams will only access customer information when necessary to resolve an open ticket and upon explicit customer request/consent.

Training/ Awareness

  • Our security training and awareness is not held just for the compliance sake but to give broad knowledge and deep understanding on the security aspects of their work/ day-to-day processes and practices.
  • We don’t stop at the security awareness training for new hires. But will do periodical training/ workshops/blog posts on security issues and how to prevent/mitigate for continuous improvement.

Change Management

  • We practice a change management process which informs and uses an approval workflow to get consent from stake-holders.
  • All changes are peer-reviewed, and is part of our CI process.
  • Our Continuous Integration (CI) tool will check and flag if any change once merged into the master branch will create issues through our integration, unit, functional or security tests.

Employee Recruitment

  • We run background checks and other necessary security clearance when we onboard a new employee.

Security Incident Management

  • Our security team aggregates logs from a number of sources in the infrastructure and makes use of a SIEM platform to monitor and flag any suspicious activity.
  • Our internal processes define how these alerts are triaged, investigated further and escalated appropriately.

Vulnerability Management

  • Our security team performs on-going network and infrastructure vulnerability scans using an industry leading vulnerability scanner.
  • We also use external security consulting firms to conduct penetration tests on infrastructure , web sites and apps whenever there is any new architectural design change or we set up our infrastructure in a new data centre.
  • Internal processes are in place to review any reported vulnerabilities and mitigate/ secure us against them. This process includes predefined timelines for patching the vulnerabilities based on their CVSS (v3.1) score.

Compliance

We are in the process of being certified for SOC2 and ISO 27001:2013, delayed due to COVID-19 [as of July 2020]. We have been adhering to the controls as the process reaches completion.

Report a Vulnerability

We would greatly appreciate any effort you take to report a security vulnerability in Creately. You can reach us at support@creately.com to report any concern or security incidents you may have, and we’ll work on it right away.