Security, Privacy & Compliance.
Security of our customers data is our highest priority.
We use our own product to measure and monitor our security posture continuously.
We take a security-first approach towards product development, quality assurance and operational support. We have periodic audits and continuous monitoring to ensure that your data is always secure. Leading technologies and industry best practices are utilized to maintain the security and availability of the CARAgrc solution.
NIST CyberSecurity Framework (CSF 2.0)
CARAgrc has adopted the NIST CSF framework which provides a great foundation to build, implement, manage, and mature the organizations cybersecurity practices.
Privacy Policy
We are committed to preventing unauthorized access or disclosure to our customers information. Security and privacy go hand in hand at CARAgrc.
Read our privacy policySecurity Pillars
Learn more about our security practices across the four core pillars of our infrastructure and operations.
Cloud Security
Secure infrastructure
CARAgrc's computing infrastructure is provided by AWS, a secure cloud services platform. Its physical infrastructure has been accredited under SOC 2, ISO 27001, PCI Level 1 and FISMA Moderate.
Encryption in Transit
The communication between you and our servers is encrypted with Transport Layer Security (TLS v1.3 and v1.2) encryption. System controls prevent cross site scripting and SQL injection attacks.
Data Encryption
All data captured in CARAgrc is encrypted and stored on AWS servers in accordance with ISO 27001 requirements.
Vulnerability Management
System vulnerability assessments and internal security controls have been implemented to identify vulnerabilities and reduce risk exposure.
Data Backups
Data and audit logs are backed up regularly. Full backups are performed with new updates or each week and whichever is sooner.
Incident Management
Our incident management process ensures rapid response to security events affecting integrity or availability. Customer events are highest priority.
Application Security
Secure Development
Access to CARAgrc deployment environments is strictly controlled. Testing and Staging environments are logically separated from Production.
User Security
A multi-tenanted system where each account has a unique identifier. Powered by SSL to maintain connection security and encrypt data safely.
Vulnerability Scanning & Patching
We periodically check and apply patches for third-party software/services. Vulnerabilities are fixed within pre-defined SLAs.
Penetration Testing
We conduct periodic penetration tests to ensure the security posture and uncover potential vulnerabilities using an independent VAPT service.
Product Security
Multi-Factor Auth
MFA can be set for user logins. CARAgrc does not store any plain-text passwords; all passwords are securely hashed.
User Security (Invites)
Users must be explicitly invited to join and accept the invitation to create their account before accessing any data.
Administrative Data Access
Access to production databases is strictly controlled and restricted only to users actively performing customer support.
Data Backups
Data backups are encrypted and sensitive data is automatically encrypted or masked in the live database.
Data Life Cycle
We securely delete a customer’s data after 45 days in CyberFirst product. Customer data in other products are secured for 365 days.
User Permissions
Granular permissions allow you to control data access. Admin, Manager, and User roles are explicitly separated.
Human Resources Security
Security Awareness
All CARAgrc personnel are required to undergo security training covering industry best practices around typical human-based-attack vectors like phishing.
Confidentiality
All new CARAgrc employees are required to sign strict Non-Disclosure and Confidentiality agreements upon hiring.
Responsible Disclosure
We are committed to making our system secure. If you find a security issue, please let us know immediately. We will make sure the issue is fixed and updated at the earliest.