This Security Policy is incorporated into and made a part of the written agreement between Crossbeam and Customer that references this document (the “Agreement”) and any capitalized terms used but not defined herein shall have the meaning set forth in the Agreement. In the event of any conflict between the terms of the Agreement and this Security Policy, this Security Policy shall govern.
SOC 2 (System and Organization Controls) is an industry-standard, regularly refreshed standard that focuses on non-financial reporting controls as they relate to security, availability, and confidentiality of a cloud service. Crossbeam currently audits against the SOC 2 Type II standard and offers its SOC 2 Type II report (which is deemed to be Crossbeam Confidential Information) upon written request no more than once annually. To the extent Crossbeam discontinues its SOC 2 Type II audit, Crossbeam will adopt or maintain a substantially equivalent, industry-recognized framework. Crossbeam will maintain ISO 27001 and ISO 27701, to the extent Crossbeam discontinues its certifications under ISO 27001 and ISO 27701 Crossbeam will adopt or maintain an equivalent, industry-recognized framework. Security reviews are available at https://security.crossbeam.com/. Crossbeam is not obligated to conduct security reviews or assessments through any platform (including customer or third party platforms). The foregoing is not intended to limit the Customer’s audit rights which are set forth in Crossbeam’s DPA.
Overview. Crossbeam requires authentication for access to all application pages on the Service, except for those intended to be public.
Secure Communication of Credentials. Crossbeam currently uses TLS-encrypted requests to transmit authentication credentials to the Service.
Password Management. Crossbeam has processes designed to enforce minimum password requirements for the Service. Crossbeam currently enforces the following requirements and security standards for end user passwords on the Service:
Password Hashing. User account passwords stored on Auth0 are hashed with a random salt using industry-standard techniques. Auth0 uses bcrypt to hash and salt passwords.
Single Sign-On.For select packages, customers can implement Security Assertion Markup Language (SAML) Single Sign-On (SSO) through Crossbeam’s SSO provider. This allows a customer’s team to login to Crossbeam using their existing corporate credentials. Single Sign-On is available on enterprise packages only. Crossbeam also supports Google Oauth as a form of Single Sign-On.
Overview. Each time a user signs into the Service, the system assigns them a new, unique session identifier, currently consisting of 64 bytes of random data designed for protection against brute forcing.
Session Timeout. All sessions are designed to have a hard timeout (currently set to 7 days). Single Sign-On sessions are configured with an inactivity timeout as well (currently, 4 hours). There is an optional setting to terminate any sessions after 15 minutes of inactivity.
Sign Out. When signing out of the Service, the system is designed to delete the session cookie from the client and to invalidate the session identifier on Crossbeam servers.
Crossbeam monitors and updates its communication technologies periodically with the goal of providing network security.
Crossbeam encrypts all data at rest and in transit. Data is stored in AWS RDS/Aurora and encrypted with unique keys from AWS KMS. All database connections use TLS. HSTS is used to ensure browsers’ encryption of communication.
Crossbeam regularly updates network architecture schema and maintains an understanding of the data flows between its systems. Firewall rules and access restrictions are reviewed for appropriateness on a regular basis.
Crossbeam uses an Intrusion Detection System (IDS) and Endpoint Detection and Response (EDR), and other security monitoring tools on the production servers hosting the Service.
Access to Customer Data is restricted within Crossbeam to employees and contractors who have a need to know this information to perform their job function, for example, to provide customer support, to maintain infrastructure, or for product enhancements (for instance, to understand how an engineering change affects a group of customers). Access to Customer Data is protected with SSO and multi factor authentication (MFA) in addition to Secure Access Service Edge (SASE) at the device level.
Crossbeam currently requires the use of single sign-on, strong passwords and/or 2-factor authentication for all employees to access production servers for the Service.
Customer Data is protected through the use of Data Security Posture Management Tools. Customer Data is not used in test environments.
Crossbeam has implemented several employee job controls to help protect the information stored on the Service:
The engineering process for the Crossbeam platform follows industry-standard code development processes designed to ensure security at the product development and engineering levels. Changes to servers are administered by members of the engineering team in a DevOps model. All changes to servers and infrastructure are implemented as code using industry standard tools and undergo the systems development lifecycle process as changes to the software.
The software Crossbeam develops for the Service is continually monitored and tested using processes designed to proactively identify and remediate vulnerabilities. Crossbeam regularly conducts:
Crossbeam conducts, at a minimum, annual penetration tests of its Services. Crossbeam uses industry recognized and reputable firms with appropriate expertise to conduct such testing. The results of these tests are available for download at https://security.crossbeam.com.
Crossbeam maintains formal security and privacy policies that are communicated to employees and contractors. The policies are reviewed and audited annually, and the result of those audits can be downloaded at https://security.crossbeam.com.
Crossbeam maintains an inventory of assets as well as software that is maintained and updated for accuracy.
The infrastructure for the Service is designed to minimize service interruption due to hardware failure, natural disaster, or other catastrophes. Features include:
Crossbeam has an Incident Cybersecurity and Privacy Response Plan and Policy designed to promptly and systematically respond to security and availability incidents that may arise. The incident response plan is tested and refined on a regular basis. The results of these tests are available for download at https://security.crossbeam.com.
The Service is designed to logically separate each customers’ data from that of other customers. Crossbeam’s application logic is designed to enforce this segmentation by permitting each end user access only to accounts that the user has been granted access to.
User roles specify different levels of permissions that the Customer can use to manage the users on the Service account. Customers can invite users to Customer’s Crossbeam account without giving all team members the same levels of permissions.
Crossbeam conducts annual security and privacy awareness training of its workforce. New employees are required to take this training within 30 days of their start date.
Crossbeam uses a third party cloud platform (currently Amazon Web Services (“AWS”)) to host its production systems for the Service. Access to AWS’s data centers is limited to authorized personnel only, as verified by biometric identity verification measures. Physical security measures for AWS data centers include: on-premises security guards, closed circuit video monitoring, and additional intrusion protection measures. Crossbeam relies on AWS’s third party attestations of their physical security. Crossbeam is a fully remote company and does not maintain a physical office.
Vulnerabilities meeting risk criteria defined by Crossbeam trigger alerts and are prioritized for remediation based on their potential impact to the Service. Upon becoming aware of such vulnerabilities, Crossbeam will use commercially reasonable efforts to address any vulnerabilities within a reasonable timeframe. Vulnerabilities which Crossbeam deems to be critical in nature will be remediated or mitigated within 30 days. Regardless of severity, Crossbeam remediates or mitigates all vulnerabilities within 90 days.