Trust Center

Conditions for Consent: According to Article 7 of GDPR, the personal data you collect must be limited to what is necessary. You have to be able to show that the user has consented, and provide you an easy way to withdraw consent at any time.
Right to Access, Correct, and Erase Data: According to Articles 15, 16, 17, and 19 of GDPR, your users have the right to get a copy of their personal data you are processing, ask for rectifications if they are inaccurate, and ask you to delete their personal data. Cryptr provides you an API, you can access, edit and delete user data.
Data Minimization: According to Article 5 of GDPR, the personal data you collect must be limited to what is necessary for processing. The data must be kept only as long as needed, and appropriate security must be ensured during data processing, including protection against unauthorized or illegal processing and against accidental loss, destruction or damage.
Data Portability: According to Article 20 of GDPR, users have the right to receive personal data concerning them in a structured, commonly used and machine-readable format. You can export user data, stored in Cryptr user directories, with the Cryptr API. The raw data from our API is in a machine-readable format: JSON format.
Protect and Secure User Data: According to Article 32 of GDPR, Cryptr implements appropriate measures to ensure a level of security, like data encryption, ongoing confidentiality, data integrity, and availability and resilience of processing systems and services. See the Architecture for security and the Architecture for resilience parts

Data Location

Zone: EU Amazon Web Service: Country: Germany
Zone: US Google Cloud Platform: Country: USA
Zone: ASIA Amazon Web Service or Google Cloud Provider: Country: SGP

Database has backups with a Point-in-Time Recovery system with encryption at rest.

Subprocessors

Infrastructure management Platform As A Service for hosting, continuous integration and resilience. By the Head of Risk of Stripe: Country: USA
HIPAA/PCI/PII Compliant, End to End Encryption Static IP’s using HTTPS/SOCKS Depends on the plan you choose for your dedicated instance of Cryptr, we may use load balanced IP.: Country: USA
Error monitoring: Country: NLD
Mailing API Only for Magic link (login link by email) and notification: Country: USA
Payment API: Country: USA

Internal Developers Audit

Cryptr is a security company, as security is our culture, we perform strict “Analysis of Software Composition,” this process is integrated with continuous integration which “checks before release a new version of Cryptr code source.”

Protection Before Production

Static Analysis (SAST) check before code delivery, the OWASP TOP 10, and the following family vulnerabilities (non-exhaustive list):

Insecure configuration
SQL injection
Denial of service
Known vulnerabilities on dependencies
Command injection
Directory traversal
Cross sites scripting
Code execution
Unsafe serialization

Dependency-Check with Software Composition Analysis (SCA) checks vulnerability presences in dependencies with CVE (Common Vulnerability Exposures database).

Protection in Production

Runtime Application Self-Protection (RASP)

Cryptr detects unusual for functions to be created at runtime, so this can be used as a high-quality signal of malicious activity. Cryptr provides a runtime application self-protection (RASP) against remote code execution (RCE) exploits.

Denial of Service (DDoS) Protection

We use a Denial-of-service protection to every Cryptr instance. We’re using Cloudflare’s industry-leading DDoS protection infrastructure behind the scenes, and you don’t have to do anything to benefit. When your Cryptr it is automatically protected.

Architecture for Availability & Resilience

Cryptr is resilient by design

Request Disaster Recovery Plan

Concurrency for Vertical Scaling: With our CPU scheduler
Distribution for Horizontal Scaling: Our software state is distributed through nodes, with a load balancer on the top
Fault Tolerance: Crashes have no impact on the server, thanks to our process supervisors
Database Redundancy: In a few seconds, the standby DB becomes the new primary DB. When the degraded DB becomes healthy again, it becomes the new standby DB.
Automated Failover: Server is automatically transferred to a backup system when it fails or is temporarily shut down.
Point-in-Time Database Recovery: With Point-in-time recovery (PITR), your database is continually archived. This can help you recover your database from unexpected data loss. With PITR, Cryptr can restore your database before the data loss occurred, up to 7 days ago.

Architecture for Security & Cryptography

Encryption and Signing

Data Encryption

We encrypt at rest with AES256
Each customer and sub-customer has dedicated keys
Rainbow attack protection

Data Digital Signatures

Json Web Token (JWT) is signed in RS256

Key Management

Private key (JWK) is stored in a vault service in a private network
Each direct Cryptr customer has a dedicated Private Key (JWK)
Rotation of private keys (JWK) is possible
Public keys are available via standard public endpoints (JWKS)

State-of-the-Art Secure Password

Cryptr uses Argon2 for hashing
Users cannot the same password (limit to an historic of ten)
Password has a ZXCVBN score, Password strength is checked

Trusted by

Security Experts

Jean-Baptiste Aviat
Staff Engineer for Security Products at Datadog - Ex-Head of Security at Apple
Enguerran Gillier
Senior Security Engineer at Meta (Facebook)

Our Customers