CARAGRC TRUST CENTER

Security, Privacy & Compliance.

Security of our customers data is our highest priority.

We use our own product to measure and monitor our security posture continuously.

We take a security-first approach towards product development, quality assurance and operational support. We have periodic audits and continuous monitoring to ensure that your data is always secure. Leading technologies and industry best practices are utilized to maintain the security and availability of the CARAgrc solution.

CARAgrc Security Shield
-->

NIST CyberSecurity Framework (CSF 2.0)

CARAgrc has adopted the NIST CSF framework which provides a great foundation to build, implement, manage, and mature the organizations cybersecurity practices.

Govern
Identify
Protect
Detect
Respond
Recover

Privacy Policy

We are committed to preventing unauthorized access or disclosure to our customers information. Security and privacy go hand in hand at CARAgrc.

Read our privacy policy

Security Pillars

Learn more about our security practices across the four core pillars of our infrastructure and operations.

Cloud Security

Secure infrastructure

CARAgrc's computing infrastructure is provided by AWS, a secure cloud services platform. Its physical infrastructure has been accredited under SOC 2, ISO 27001, PCI Level 1 and FISMA Moderate.

Encryption in Transit

The communication between you and our servers is encrypted with Transport Layer Security (TLS v1.3 and v1.2) encryption. System controls prevent cross site scripting and SQL injection attacks.

Data Encryption

All data captured in CARAgrc is encrypted and stored on AWS servers in accordance with ISO 27001 requirements.

Vulnerability Management

System vulnerability assessments and internal security controls have been implemented to identify vulnerabilities and reduce risk exposure.

Data Backups

Data and audit logs are backed up regularly. Full backups are performed with new updates or each week and whichever is sooner.

Incident Management

Our incident management process ensures rapid response to security events affecting integrity or availability. Customer events are highest priority.

Application Security

Secure Development

Access to CARAgrc deployment environments is strictly controlled. Testing and Staging environments are logically separated from Production.

User Security

A multi-tenanted system where each account has a unique identifier. Powered by SSL to maintain connection security and encrypt data safely.

Vulnerability Scanning & Patching

We periodically check and apply patches for third-party software/services. Vulnerabilities are fixed within pre-defined SLAs.

Penetration Testing

We conduct periodic penetration tests to ensure the security posture and uncover potential vulnerabilities using an independent VAPT service.

Product Security

Multi-Factor Auth

MFA can be set for user logins. CARAgrc does not store any plain-text passwords; all passwords are securely hashed.

User Security (Invites)

Users must be explicitly invited to join and accept the invitation to create their account before accessing any data.

Administrative Data Access

Access to production databases is strictly controlled and restricted only to users actively performing customer support.

Data Backups

Data backups are encrypted and sensitive data is automatically encrypted or masked in the live database.

Data Life Cycle

We securely delete a customer’s data after 45 days in CyberFirst product. Customer data in other products are secured for 365 days.

User Permissions

Granular permissions allow you to control data access. Admin, Manager, and User roles are explicitly separated.

Human Resources Security

Security Awareness

All CARAgrc personnel are required to undergo security training covering industry best practices around typical human-based-attack vectors like phishing.

Confidentiality

All new CARAgrc employees are required to sign strict Non-Disclosure and Confidentiality agreements upon hiring.

Responsible Disclosure

We are committed to making our system secure. If you find a security issue, please let us know immediately. We will make sure the issue is fixed and updated at the earliest.