Security

We know how critical your data is to you, therefore security is at the forefront of everything we do.

We’re committed to keeping your data secure and your private information private. If you have any questions, please contact us.

Steps we take to ensure your security

Compliance Program

Cloudcraft recently achieved its first SOC 2 Type I report, and is currently preparing for our Type II report. Our SOC 2 Security, Availability & Confidentiality Report is available to current and prospective customers, please contact us at security@cloudcraft.co for a copy.

All of Cloudcraft's infrastructure is hosted on Amazon Web Services (AWS). Cloudcraft uses AWS data centers that are SOC 1, SOC 2 and ISO/IEC 27001 certified in the US East and GovCloud (for our government customers) regions.

Third Party Testing

Cloudcraft hires an external company annually for penetration and security testing. Our test reports are available to current and prospective customers, please contact us at security@cloudcraft.co.

Encryption

All Cloudcraft data and communications are encrypted using industry best practices.

Privacy And Confidentiality

No Cloudcraft staff will access your data unless required for support reasons. When working a support issue we only access the minimum data needed to resolve your issue while respecting your privacy. Access to data is restricted by job function and monitored.

Access Controls

All data, including your diagrams, is private by default and only accessible by you. If you explicitly share something, you can always revoke the access later. Cloudcraft Pro and Enterprise editions also include role-based access controls for teams.

Single Sign-On

Cloudcraft Enterprise integrates with your existing corporate directory and authentication methods through the use of SAML 2.0 for SSO. Just-in-Time user provisioning, IdP and SP-initiated logins, as well as strict SAML-only modes are also supported.

Secure Authentication

All user passwords are stored salted and hashed (using scrypt) and cannot be recovered by Cloudcraft staff.

When using Enterprise SSO/SAML 2.0 or a Google Account to access Cloudcraft, no user credentials are stored by Cloudcraft, with the identity assertions signed and verified.

Optional Two-Factor Authentication (2FA/MFA) support is available for an additional layer of protection of your account.

Secure Configuration and Change Management

Cloudcraft uses code reviews, vulnerability scans, automated testing and automated deployments, with servers continuously kept up to date with the latest security errata. Our configuration and change management processes are documented and audited as part of our SOC 2 certification.

Cloudcraft Live security

Cloudcraft Live allows you to auto-generate and sync your AWS environments with your diagrams. Live was designed from the start to take full advantage of the latest AWS security best practices. Specifically, Cloudcraft makes use of cross-account roles, the secure way to access your AWS environment:

Cloudcraft Live provides a safe and secure way for you to visually explore and plan your AWS environment.

Credit card security

If you subscribe to Cloudcraft's paid plans, your credit card data is not transmitted through nor stored on our systems. We use a payment processor called Stripe, a company entirely dedicated to this task. Stripe is certified to PCI Service Provider Level 1, the most stringent level of certification available. Read more about Stripe’s security.

Need to report a security vulnerability?

Please email us directly at security@cloudcraft.co

Responsible Disclosure

We strive to keep Cloudcraft safe and secure for everyone. If you have discovered a security vulnerability we would greatly appreciate your help in disclosing it to us in a responsible manner. We will work with you to assess and understand the scope of the issue and fully address any concerns. Emails are directly sent to our engineering staff to ensure that issues are addressed rapidly. Any security emails are treated with the highest priority as the safety and security of our service is our primary concern.

Questions?

If you have questions regarding a specific policy or general inquiries regarding security, please contact us.