Security is an essential tenet of CrowdFiber operations.  This document provides an overview of some of the principles and attributes of our security strategy and tactics. For additional questions regarding security or to report a concern, please contact security@crowdfiber.com.

Employee And Physical Security

Confidentiality

CrowdFiber employees hold your data in the strictest confidentiality. We have strict technical and business controls to keep your data secure. All CrowdFiber employees and contractors are required to sign confidentiality agreements as a condition of employment.

Social Engineering Awareness

CrowdFiber runs regular social engineering training and reviews with employees and contractors. These include active attempts to exploit information from employees. Security is the responsibility of all employees.

Hiring Processes

CrowdFiber follows a stringent employee hiring process to screen all employees and contractors for potential security risks. CrowdFiber requires an in-person interview for any employee or contractor that will have access to sensitive information.

Physical Security

CrowdFiber uses video surveillance, independent access control systems between general and sensitive areas of our facility, monitored fire, and burglar alarms systems. CrowdFiber performs audits and penetration tests of our physical security on at least a quarterly basis.

Protection

Backups

We protect your data by regular backups to diverse locations. Backup data is encrypted in transit and at rest ensuring that your data is protected in the event of a catastrophic failure.

Related Policies:
Acceptable Encryption Policy

Source Code

CrowdFiber uses modern security and code analysis tools such as Brakeman, Github Security Alerts and RuboCop to ensure a reliable and secure platform. Additionally, all code must go through a peer-review process before being released into production systems. All Source code is stored in Github and requires two-factor authentication

Related Policies:
Source Code Review Policy

Network Security

CrowdFiber uses a multilayer approach to our network security including firewalls at the edges of our network, firewalls on each host, honeypots, and other countermeasures to protect our internal network and detect new threats.

Related Policies:
Router And Switch Security Policy
Lab Security Policy

Traffic Encryption

All information you and your customers send and receive with CrowdFiber is fully encrypted. CrowdFiber uses SSL certificates issued by Sectigo, GlobalSign and Let’s Encrypt for public-facing traffic.

Any documents uploaded to CrowdFiber are encrypted at rest using AES-256 with keys stored in a separate location from the file. All database connections are encrypted.

Related Policies:
Database Authentication Credentials Policy
Acceptable Encryption Policy

Data Center Selection

CrowdFiber performs a site visit to review all data centers it uses and to verify our minimum required power, network, and redundancy requirements. We only use production data centers that meet the following standards:

SSAE 16 SOC 2 Type 2

PCI DSS compliant

EU-U.S. Privacy Shield.

Availability

We are committed to being a highly available service for our customers and to building and operating our software in a fault-tolerant way. As a minimum standard, CrowdFiber provides 99.9% uptime measured monthly, excluding weekends, holidays and scheduled maintenance. See your sales agreement for particular details regarding availability.

Compliance

PCI Compliance

We do not capture, process, or store payment information such as credit card, billing zip, or CSC. The payment transaction occurs directly between the end-user client device and our payment processor, Stripe. Our servers only receive a token and non-confidential data for proof of payment. All funds captured are deposited directly into each customer's Stripe account controlled and managed by each of our customers. We follow the requirements stated here: https://stripe.com/docs/security for a PCI compliant system.

CPNI Compliance

We have established operating procedures that ensure compliance with the Federal Communication Commission regulations regarding the protection of customer proprietary network information (“CPNI”).

Logging And Retention

We maintain an extensive, centralized logging environment that enables us to collect security, monitoring, availability, access, and other metrics about the CrowdFiber services. CrowdFiber maintains logs for at least 90 days from all production systems.

Related Policies:
Information Logging Standard

Incident Management And Vulnerability Disclosure

Incident Management & Response

While we have never experienced such an event, if there is a security breach in the future, we will promptly notify you of any unauthorized access to your customer data. We have the expertise in place to assess any impacts and quickly take corrective and preventative actions to mitigate such an issue as much as possible.

Related Polices:
Data Breach Policy