Security

Built so agencies can share their most sensitive client files with confidence.

Every control, from infrastructure to onboarding, is designed to keep data private, compliant, and available.

Encryption layered

TLS 1.3 in transit, AES-256 at rest, and rotating secrets keep every payload sealed.

Continuous monitoring

SIEM streams, anomaly alerts, and on-call responders 24/7/365.

Zero-trust access

Least privilege, MFA, and device posture enforcement on every admin path.

Snapshot

Last updatedJanuary 2025
CoverageWeb app, API, files, automations
CertificationsSOC 2 Type II (in progress)

Need a deeper dive? Request the latest security pack and we will share NDA-ready documentation.

Security backbone

Guarding every briefing, approval, and upload in your pipeline

You ship creative work. We obsess over keeping it protected without slowing you down.

Defense in depth

Layers of perimeter, app, and data controls block threats before they become incidents.

Cloud hardened

Global, SOC 2 Type II infrastructure with segmentation, IDS, and DDoS defenses baked in.

Human verified

Background checks, security training, and least-privilege workflows for every teammate.

Audit ready

Change logging, data classification, and policy reviews aligned to ISO 27001 and GDPR.

Dive deeper

How we keep Crittiks secure end to end

This is the same playbook our internal teams follow. Share it with legal, procurement, or clients who want a detailed overview.

Data classification

Workspace data is tagged by sensitivity so access reviews stay precise.

Vendor diligence

Every sub-processor signs DPAs, passes annual audits, and supports rapid termination.

Rapid response

Documented playbooks, tabletop drills, and a <72 hour breach notification pledge.

Encryption everywhere

Encryption is enforced by default so data is unreadable even if transport or storage is intercepted.

  • TLS 1.3 with modern cipher suites secures every browser, API, and mobile connection in transit.
  • AES-256 protects databases, object storage, and search indexes, with keys rotated automatically.
  • Encrypted backups mirror production policies—no data is ever written in plain text.

Hardened infrastructure

  • Hosted on SOC 2 Type II certified cloud regions with 99.9% uptime SLAs.
  • Network segmentation isolates workloads and limits lateral movement.
  • Layered firewalls and advanced DDoS mitigation shield the perimeter from volumetric attacks.
  • Intrusion detection and prevention systems stream telemetry into our SIEM for real-time alerting.

Access controls you control

  • Role-based access control (RBAC) constrains every user to the projects and data they need.
  • Multi-factor authentication (MFA), SSO (SAML/OIDC), and device posture signals stop account takeover attempts.
  • Short-lived session tokens, automatic idle timeouts, and forced re-auth for sensitive actions.
  • Optional IP allow-lists for agencies that operate from fixed locations or secure gateways.

Secure development lifecycle

  • Secure coding standards aligned to OWASP Top 10 guide every pull request.
  • Peer review plus automated dependency and SAST scans run before merges.
  • Third-party penetration tests and red-team simulations validate defenses at least twice a year.
  • Continuous vulnerability management keeps runtimes, containers, and libraries patched.

Resilience and recovery

  • Automated, encrypted backups occur multiple times per day with point-in-time restore.
  • Backups are stored across multiple geographic regions for redundancy.
  • Disaster recovery plans define tight RTO/RPO targets and are tested routinely.
  • Retention policies ensure we can roll back to safe checkpoints when needed.

Monitoring & incident response

  • 24/7 monitoring through centralized logging, metrics, and behavioral analytics.
  • Dedicated incident responders follow tested playbooks for triage, containment, and recovery.
  • Security events are correlated via SIEM tooling so root causes are isolated quickly.
  • Breach notifications are issued to affected workspaces within 72 hours of confirmation.
We run quarterly tabletop exercises with engineering, success, and leadership to keep the plan sharp.

People & process safeguards

  • Background checks and confidentiality agreements precede any production access.
  • Mandatory security awareness training plus phishing simulations throughout the year.
  • Strict offboarding workflows revoke credentials, devices, and VPN access immediately.
  • Least-privilege policies ensure engineers only elevate when change tickets demand it.

Security best practices for your team

Pair our platform protections with these quick wins to reduce your attack surface even further.

Enable MFA for every seat and rotate recovery codes regularly.
Use strong, unique passphrases (12+ characters with symbols and numbers).
Provision distinct accounts instead of sharing logins across teams.
Review user roles quarterly and remove access for former collaborators.
Stay vigilant against phishing; we will never ask for passwords over chat.
Keep browsers and operating systems patched before accessing client records.
Log out from shared or kiosk devices once reviews are finished.
Flag unusual activity immediately by emailing support@crittiks.com.

Responsible disclosure

Found a vulnerability? We’ll work with you to fix it quickly and recognize valid findings.

  • Email support@crittiks.com with a detailed proof-of-concept.
  • Avoid accessing, modifying, or deleting data that isn’t yours while testing.
  • Give us reasonable time to investigate before public disclosure.
  • We acknowledge submissions within 48 hours and share remediation updates.
  • Eligible reports may receive bug bounty rewards based on severity.

Security contact

Need the latest pen test, DPA, or white-glove review?

Email us and we’ll share the documentation you or your clients require—NDA-ready.

support@crittiks.com

Crittiks Group Pty Ltd

ABN 55 654 097 784

Suite 73, 44 Lakeview Dr, Scoresby, VIC 3179