Product Security

How does CrossEngage ensure login security and secure user access management?

Our platform’s authentication is based on CIAM technology (Keycloak). We support the integration of external identity providers if you would like to connect CrossEngage to your company-internal workplace IDP.

Does CrossEngage’s platform authentication support MFA?

Yes, based on TOTP.

Does CrossEngage’s platform authorization support RBAC?

Yes, we support a role based access control model.

Does CrossEngage’s platform authorization support IP restrictions?

Yes.

Can user activity or audit trails be exported?

We can provide this upon request.

Data Security

Where does CrossEngage process or store customer data?

Our application is strictly hosted in Germany (Frankfurt), with data centre providers that are subject and compliant to EU-GDPR regulations.

Does CrossEngage encrypt my data in transit and at rest?

As for data in transit, it is industry standard to rely on TLS with strong ciphers for encryption. So do we at CrossEngage for incoming HTTP traffic and connections between internal services.

 

Since our data platform is dependent on speed, we do not categorically encrypt all data at rest on a field level. We do however use hard disk encryption on the level of the operating system.

Who has access to the data that CrossEngage is processing?

Our general design principles are based on zero-trust and need-to-know principles. As such, only dedicated teams in our company require such access, e.g. your account manager. In addition, our technology department, who runs the platform, has access to the underlying infrastructure and databases.

How are workplace devices (laptops, mobiles etc.) secured, e.g. against malware or data exfiltration?

CrossEngage diligently manages the security of workplace devices using several technologies: MDM (Kandji), EDR (SentinelOne) & VM (Tenable.io).

Initially, all devices are hardened by applying appropriate security configurations (100+ different settings). Our MDM is also used to remote-wipe devices, should they ever be stolen.

In addition, we have rolled out an EDR solution to monitor for indicators of compromise. Lastly, vulnerability discovery and remediation is done using a dedicated VM product.

How are server runtimes secured, e.g. against malware or data exfiltration?

Aside from common security practices that you would expect (e.g. zero-trust based access management to our infrastructure based on SASE (Perimeter81)), our server runtimes are primarily secured through pre-hardened configuration and EDR. In particular EDR is used to continuously monitor for potential indicators of compromise and combat malware infections automatically.

Can data be deleted from CrossEngage’s platform?

Yes of course.

Governance, Risk, Compliance

Does CrossEngage have an Information Security Program?

Yes. Our Security Team takes care of the company’s security program, annual targets, design principles, architecture decisions and so on. You find a lot of related information in our Security & Trust Center on our website under https://www.crossengage.io/de/security-trust-center-crossengages-security/

 

Keeping our customer’s data safe is of utmost priority to us and we continue to invest in best-in-class tooling to deliver on this promise.

Is CrossEngage's Security Program aligned with industry standards?

Yes. Specifically, we adhere as much as we can to the following standards:

 

SOC2 Type II

ISO 27001

CIS AWS 1.4.0

NIST 800-171 Rev2

AWS Well Architected

 

Attestation and benchmarks for select scopes can be provided upon request.

Does CrossEngage hold any 3rd party compliance attestations for security?

We select our service providers with security and compliance in mind. As such, key parties in our provider ecosystem are 100% compliant with industry security standards such as SOC2 Type II or ISO 27001. CrossEngage regularly evaluates suppliers in a prioritised fashion according to these requirements.

 

CrossEngage itself has not undergone an audit with certified attestation just yet. Our security framework goes much beyond what industry standards are demanding, however based on our customer’s feedback, investing in the time consuming process of annual audits and maintaining compliance has not proven to be practically necessary until today.

Does CrossEngage regularly undergo penetration testing by a 3rd party firm?

Yes. We conduct different forms of testing in cycles.

 

Most importantly, we run a state-of-the-art, 24/7 vulnerability reward program to detect potential issues as early as possible. Further, we conduct penetration tests and inside-out security audits multiple times per year.

Does CrossEngage have an Incident Response process and policy?

Yes. Aside from corresponding policy and procedures, we monitor and detect attacks on multiple levels. For example, our network edge is secured via WAAP technology (Cloudflare) and security relevant metrics from different sources are piped into our SIEM system for continuous monitoring and alerting (SumoLogic).

Does CrossEngage follow secure software development practices?

Yes. We address this issue on multiple angles and can provide further detail, where required. Our primary tools to ensure only secure code is shipped can be summarised as:

 

Pre-deployment: continuous training and education for our technology team, threat modelling exercises, 4-eye principle and code reviews for code merges;

 

Post-deployment: 24/7 vulnerability reward program, dedicated penetration testing;