Security Statement – Technical and Organizational Measures
At Crowdsol, we take security seriously. We are committed to protecting our customer data and information systems. We are taking actions for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services. We are constantly evaluating our security posture to find ways to improve our security by regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing.
You can reach our security team at firstname.lastname@example.org
We use infrastructure from Amazon AWS and Azure Cloud for data center hosting. Our provider data centers are certified as ISO 27001, PCI DSS Service Provider Level 1, and or SOC 1 and 2 compliant.
At Crowdsol we have a professional security team that monitors and responds to security alerts and events.
Third party penetration tests are conducted against our services at least annually and findings are remediated as soon as possible.
We leverage threat detection, Ddos mitigation and vulnerability scanning for our infrastructure and all issue are remediated in a timely manner.
System management access to our systems is limited to least privilege model for our staff and is subject to audits. Two factor authentication is required for all production systems.
All communication with our systems is encrypted with up to date protocols. Our web site access is protected with TLS 1.2 or higher over public networks. We continue to adapt recommended practices as needed.
All data at rest is encrypted with AES-256 encryption standard.
Availability and Continuity
Our services are provided through public cloud and are deployed on multiple availability zones and configured to respond to measured and expected load. We are using highly available and secure cloud services for hosting customer data.
We are monitoring our services with automated and manual means including but not limited to real time data collection and logging.
In the event of a cloud based outage, we have the ability to deploy our services to new cloud services on AWS and/or new regions.
User identification and authorization
We are using user provided e-mail and password to identify users for our services. Users can also use linked accounts (such as google, linkedin) for identification. We are providing authorization based on users identify for providing access to events and event information.
Our Quality Assurance team, tests code case for findings and we also use source code security analysis processes to find defects of our code. Our teams receive security training and necessary feedback on secure development and operational practices.
We are periodically evaluating customer data collection with minimization, limited data retention, data portability and erasure. Users can view and change and determine with whom the data can be shared through our services.
Our testing, staging and production environment are separated with strict access controls with no user data in development or test environment.
All employees are required to sign Non-Disclosure and Confidentiality agreements.
Crowdsol maintains compliance with European Union’s General Data Protection regulation (GDPR) and United Kingdoms’s General Data Protection regulation (UK-GDPR).
We outsource our cardholder functions to a PCI-DSS Level 1 service provider.
We understand the risks for working with vendors. We evaluate and perform due diligence on all of our vendors prior and during the engagement.
- If you believe you have discovered a potential vulnerability, please let us know by e-mailing at email@example.com. Please include at least the following information:
- Finding name
- Proof-of-concept to reproduce the finding
- All testing should be done within your own account only.
- We do not allow disclosure of the vulnerability.
- Please do not take advantage of the vulnerability you have disclosed.