At Cradl, security is a top priority. Our users trust us with a significant amount of data, and we do not take this responsibility lightly.
Cradl is used by companies with high requirements to security and compliance such as government agencies and financial institutions, and in order to earn our customers' trust we believe that transparency on how your customer data is being collected, transported and stored.
Cradl is hosted on AWS, giving us access to the benefits they provide their customers such as physical security, redundancy, scalability and key management. Our infrastructure is cloud native and we use managed AWS services whenever possible to reduce the attack surface on software managed by us.
What We Encrypt
All data transport, including inter-VPC communication, is encrypted with TLS. Data is encrypted at-rest with AES-256 in GCM-mode in accordance with AWS best practices. AWS KMS is used to manage encryption keys and unique encryption keys are used per account.All certificates are managed by Amazon Certificate Manager (ACM).
You Control Your Own Data
A user defined retention policy is used to determine how long documents submitted to the API is stored before it is automatically deleted. The purpose of the data storage is to 1) to process the document for the user and 2) to improving the user's machine learning models continuously. Cradl uses AWS's built-in lifecyle rules, hooks and timers to ensure that documents are stored in accordance with retention policy specified by the user.
When uploading documents to Cradl, the user may optionally provide a consent ID which can be used to identify the origin of the document. A given consent can be revoked through Cradl's APIs which will trigger an automatic deletion of all documents with the given consent ID. For users who process documents with Cradl on behalf of other end-users, the consent ID can be used to implement right of access and right to be forgotten in accordance with the requirements of the General Data Protection Regulation 2016/679 (GDPR). In this case, Cradl recommends that a hash of the end users' ID is used as consent ID.
The user may at any given time delete individual or all documents through the Cradl APIs.
Third-Party Sub-Processors We Use
At Cradl, we use 3rd party service providers to help with analytics, payments, sending transactional emails and for hosting our service. To provide optimal transparency to our users we disclose all 3rd party services that may have access to your data by using our service.
How We Ensure Service Availability
Our infrastructure is hosted in AWS and is fully monitored to detect any downtime. Cradl is deployed in multiple availability zones, and uses Amazon API Gateway's built-in DoS-protection mechanism together with various throttling limits to prevent abuse of the service. Automated health checks are run regularly and unresponsive instances are terminated and re-deployed automatically.
Cradl's service commitment is governed by our SLA.
Vulnerability Discovery and Pentesting
Cradl conducts security tests at least annually. In addition to this we use tools such as AWS CloudTrail, AWS WAF, AWS GuardDuty and Snyk for monitoring and detection of threats and vulnerabilities and for incident management. But no matter how much we strive to keep our systems secure, there can still be vulnerabilities present. If you discover a vulnerability, we would like to know about it so we can fix it as quickly as possible.We ask you to help us better protect our users and our systems.
Internal Security Measures
In addition to our relentless focus on application security, we believe that internal and employee security measures are critical for end-to-end security. Internal security polices, physical security mechanisms and and incident management routines are not listed in this section.
Identity and Access Management
Employees have unique logins for all business critical systems and two-factor authentication is enforced wherever possible, and we operate on the principle of least privilege.
Cradl Employees' Access to Data and Infrastructure
Cradl is committed to the principle of immutable infrastructure. Consequently, our developers do not have direct access to the production environment (including S3 buckets). Any modification to production code must be checked in to version control, reviewed and tested before deployment to production. A CI/CD-pipeline is used for this and is implemented with CodePipeline, CodeBuild and CloudFormation. Cradl is commited to the principle of least privilege.
All Cradl's employees are physically located in Europe (Norway).
All employee laptops have encrypted hard drives. Employees use clean cellphones and computers when travelling abroad to high-risk countries.