Trust Center

Enhance your infrastructure's resilience, fortify security measures, ensure compliance, exercise administrative control, and unlock more with Cryptr.

One or more annual third-party audit(s)
Deletes customer data on request
Has cyber insurance
Annual third-party penetration testing
Uses a centralized IAM solution (SSO) to manage employee access
Has a bug bounty or vulnerability disclosure program
Subprocessors list available
Has a formal mobile device management (MDM) program
Has an API available
Will enter into a DPA
Has a disaster recovery plan
Has a status page

Controls

Asset Management

  • Inventory of assets

  • Acceptable use of assets

  • Return of personal assets

Application & Data Security

  • Penetration testing performed

  • Data encryption at rest

  • Data encryption in transit

Business Continuity

  • Disaster recovery plans tested

  • Backup processes

  • Incident response policies

Cloud Security

  • Service infrastructure maintained

  • Production data backups conducted

  • Database replication utilized

Data & Privacy

  • Privacy policy

  • Data retention procedures

  • Data processing procedures

Employee Security

  • Mobile device management

  • Password vault

  • Security awareness training implemented

Human Resource Security

  • Disciplinary process

  • Terms and conditions of employment

  • Background checks

Identity & Access Control

  • Access rights

  • Full life cycle of identities

  • 2FA enforced

Incident Management

  • Incident management process

  • Red team with roles & responsibilities

  • Incident communication procedure

Legal & Compliance

  • Documented legal requirements

Risk & Vulnerability

  • Vulnerability scanning

  • Penetration testing

  • OWASP practices

Supplier Relationships

  • Review security of suppliers

  • Risk management of suppliers

Privacy

Cryptr can help you comply with GDPR.

Request Data Processing Agreement
Conditions for Consent
According to Article 7 of GDPR, the personal data you collect must be limited to what is necessary. You have to be able to show that the user has consented, and provide you an easy way to withdraw consent at any time.
Right to Access, Correct, and Erase Data
According to Articles 15, 16, 17, and 19 of GDPR, your users have the right to get a copy of their personal data you are processing, ask for rectifications if they are inaccurate, and ask you to delete their personal data. Cryptr provides you an API, you can access, edit and delete user data.
Data Minimization
According to Article 5 of GDPR, the personal data you collect must be limited to what is necessary for processing. The data must be kept only as long as needed, and appropriate security must be ensured during data processing, including protection against unauthorized or illegal processing and against accidental loss, destruction or damage.
Data Portability
According to Article 20 of GDPR, users have the right to receive personal data concerning them in a structured, commonly used and machine-readable format. You can export user data, stored in Cryptr user directories, with the Cryptr API. The raw data from our API is in a machine-readable format: JSON format.
Protect and Secure User Data
According to Article 32 of GDPR, Cryptr implements appropriate measures to ensure a level of security, like data encryption, ongoing confidentiality, data integrity, and availability and resilience of processing systems and services. See the Architecture for security and the Architecture for resilience parts

Data Location

Zone: EU

Amazon Web Service

Country: Germany
Zone: US

Google Cloud Platform

Country: USA
Zone: ASIA

Amazon Web Service or Google Cloud Provider

Country: SGP

Database has backups with a Point-in-Time Recovery system with encryption at rest.

Subprocessors

Infrastructure Infrastructure management

Platform As A Service for hosting, continuous integration and resilience. By the Head of Risk of Stripe

Country: USA
HIPAA/PCI/PII HIPAA/PCI/PII Compliant, End to End Encryption Static IP’s using HTTPS/SOCKS

Depends on the plan you choose for your dedicated instance of Cryptr, we may use load balanced IP.

Country: USA
Error Error monitoring

Country: NLD
Mailing Mailing API

Only for Magic link (login link by email) and notification

Country: USA
Payment Payment API

Country: USA

Internal Developers Audit

Cryptr is a security company, as security is our culture, we perform strict “Analysis of Software Composition,” this process is integrated with continuous integration which “checks before release a new version of Cryptr code source.”

Protection Before Production

Static Analysis (SAST) check before code delivery, the OWASP TOP 10, and the following family vulnerabilities (non-exhaustive list):

Insecure configuration
SQL injection
Denial of service
Known vulnerabilities on dependencies
Command injection
Directory traversal
Cross sites scripting
Code execution
Unsafe serialization

Dependency-Check with Software Composition Analysis (SCA) checks vulnerability presences in dependencies with CVE (Common Vulnerability Exposures database).

Protection in Production

Runtime Application Self-Protection (RASP)

Cryptr detects unusual for functions to be created at runtime, so this can be used as a high-quality signal of malicious activity. Cryptr provides a runtime application self-protection (RASP) against remote code execution (RCE) exploits.

Denial of Service (DDoS) Protection

We use a Denial-of-service protection to every Cryptr instance. We’re using Cloudflare’s industry-leading DDoS protection infrastructure behind the scenes, and you don’t have to do anything to benefit. When your Cryptr it is automatically protected.

Architecture for Availability & Resilience

Cryptr is resilient by design

Request Disaster Recovery Plan
Concurrency for Vertical Scaling
With our CPU scheduler
Distribution for Horizontal Scaling
Our software state is distributed through nodes, with a load balancer on the top
Fault Tolerance
Crashes have no impact on the server, thanks to our process supervisors
Database Redundancy
In a few seconds, the standby DB becomes the new primary DB. When the degraded DB becomes healthy again, it becomes the new standby DB.
Automated Failover
Server is automatically transferred to a backup system when it fails or is temporarily shut down.
Point-in-Time Database Recovery
With Point-in-time recovery (PITR), your database is continually archived. This can help you recover your database from unexpected data loss. With PITR, Cryptr can restore your database before the data loss occurred, up to 7 days ago.

Architecture for Security & Cryptography

Encryption and Signing

Data Encryption

  • We encrypt at rest with AES256

  • Each customer and sub-customer has dedicated keys

  • Rainbow attack protection

Data Digital Signatures

  • Json Web Token (JWT) is signed in RS256

Key Management

  • Private key (JWK) is stored in a vault service in a private network

  • Each direct Cryptr customer has a dedicated Private Key (JWK)

  • Rotation of private keys (JWK) is possible

  • Public keys are available via standard public endpoints (JWKS)

State-of-the-Art Secure Password

  • Cryptr uses Argon2 for hashing

  • Users cannot the same password (limit to an historic of ten)

  • Password has a ZXCVBN score, Password strength is checked

Trusted by

Security Experts

Our Customers