Security Statement – Technical and Organizational Measures

At Crowdsol, we take security seriously. We are committed to protecting our customer data and  information systems. We are taking actions for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services. We are constantly evaluating our security posture to find ways to improve our security by regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing.

You can reach our security team at security@crowdsol.com

Cloud Security

Facilities

We use infrastructure from Amazon AWS and Azure Cloud for data center hosting. Our provider data centers are certified as ISO 27001, PCI DSS Service Provider Level 1, and or SOC 1 and 2 compliant.

Our providers provide availability and security measures including but not limited to backup power and fire detection and suppression equipment. Learn more about security controls for AWS and Azure.

On-Site Security

AWS and Azure implement layered security controls to ensure physical security. Learn more about physical security for AWS and Azure.

Network Security

At Crowdsol we have a professional security team that monitors and responds to security alerts and events.

Third party penetration tests are conducted against our services at least annually and findings are remediated as soon as possible. 

We leverage threat detection, Ddos mitigation and vulnerability scanning for our infrastructure and all issue are remediated in a timely manner.

System management access to our systems is limited to least privilege model for our staff and is subject to audits. Two factor authentication is required for all production systems.

Encryption

All communication with our systems is encrypted with up to date protocols. Our web site access is protected with TLS 1.2 or higher over public networks. We continue to adapt recommended practices as needed.

All data at rest is encrypted with AES-256 encryption standard.

Availability and Continuity

Our services are provided through public cloud and are deployed on multiple availability zones and configured to respond to measured and expected load. We are using highly available and secure cloud services for hosting customer data.

We are monitoring our services with automated and manual means including but not limited to real time data collection and logging. 

In the event of a cloud based outage, we have the ability to deploy our services to new cloud services on AWS and/or new regions. 

User identification and authorization

We are using user provided e-mail and password to identify users for our services. Users can also use linked accounts (such as google, linkedin) for identification. We are providing authorization based on users identify for providing access to events and event information.

Application Security

Our Quality Assurance team, tests code case for findings and we also use source code security analysis processes to find defects of our code. Our teams receive security training and necessary feedback on secure development and operational practices.

We are periodically evaluating customer data collection with minimization, limited data retention, data portability and erasure. Users can view and change and determine with whom the data can be shared through our services.

Our testing, staging and production environment are separated with strict access controls with no user data in development or test environment.

All employees are required to sign Non-Disclosure and Confidentiality agreements.

Data Privacy

Crowdsol maintains compliance with European Union’s General Data Protection regulation (GDPR) and United Kingdoms’s General Data Protection regulation (UK-GDPR).

We outsource our cardholder functions to a PCI-DSS Level 1 service provider. 

Our privacy policy can be found here. You can provide privacy related requests here. (Link to data request page)

Third-party Security

We understand the risks for working with vendors. We evaluate and perform due diligence on all of our vendors prior and during the engagement. 

Disclosure Policy

  • If you believe you have discovered a potential vulnerability, please let us know by e-mailing at security@crowdsol.com. Please include at least the following information:
    • Finding name
    • Domain
    • Severity
    • URL
    • Proof-of-concept to reproduce the finding
    • Evidence
  • All testing should be done within your own account only.
  • We do not allow disclosure of the vulnerability.
  • Please do not take advantage of the vulnerability you have disclosed.