Trust Center

Start your security review
View & download sensitive information
Search items
ControlK

Trust at Cresta

Welcome to Cresta's Trust Center. Our commitment to data privacy and security is embedded in every part of our business. Use this Trust Center to learn about our security posture and request access to our security documentation. Our enterprise-grade security and data privacy program is designed to keep your customer data safe and secure. We rely on industry best practices, security product features, and comprehensive audits of our applications, systems, and networks to ensure that your data is always protected. Here is an introduction to Cresta’s security and data privacy practices. Have questions? If you have additional questions about our security program please reach out to your enterprise sales representative or email security@cresta.ai

Compliance

CCPA Logo
CCPA
CPRA Logo
CPRA
GDPR Logo
GDPR
HIPAA Logo
HIPAA
ISO 27001 Logo
ISO 27001
ISO 27701 Logo
ISO 27701
ISO 42001:2023 Logo
ISO 42001:2023
PCI DSS Logo
PCI DSS
SOC 2 Logo
SOC 2
TISAX Logo
TISAX

Cresta is reviewed and trusted by

Intuit-company-logoIntuit
Porsche-company-logoPorsche
CarMax-company-logoCarMax
Hilton Grand Vacations-company-logoHilton Grand Vacations
Holiday Inn Club Vacations-company-logoHoliday Inn Club Vacations
Brinks HomeTM-company-logoBrinks HomeTM

Documents

Featured Documents

COMPLIANCEPCI DSS
COMPLIANCESOC 2

Risk Profile

Data Access LevelInternal
Impact LevelSubstantial
Recovery Time Objective4 hours
View more

Product Security

Data Security
Integrations
Multi-Factor Authentication
View more

Reports

Accessibility Conformance Report
HIPAA Report
Network Diagram
View more

Self-Assessments

SIG Lite
VSA Core

Data Security

Data Backups
Encryption-at-rest
Encryption-in-transit
View more

App Security

Responsible Disclosure
Secure Development Training
Software Development Lifecycle
View more

Legal

SubprocessorsGoogle Cloud-company-logoDatadog,-company-logoDeepgram-company-logoOpenAI-company-logoSegment-company-logo
Cyber Insurance
Data Processing Agreement
View more

Data Privacy

Data Privacy Officer
Employee Privacy Training

Access Control

Logical Access Control

Infrastructure

Status Monitoring
Amazon Web Services
BC/DR
View more

Endpoint Security

Disk Encryption
Endpoint Detection & Response
Mobile Device Management
View more

Network Security

IDS/IPS
Network Vulnerability Scanning

Corporate Security

Asset Management Practices
Employee Training
HR Security
View more

Policies

Information Security Program Policy

Security Grades

Qualys SSL Labs
cresta.com
A+
Trust Center Updates

Subprocessor Notification

Copy link
Subprocessors
March 14, 2025

Effective March 14, 2025, Cresta has discontinued using Atlassian.

March 10, 2025

Effective January 30, 2025, Cresta has discontinued using FullStory.

December 11, 2024

Cresta added GUIDEcx as a sub-processor for onboarding software.

October 29, 2024

Cresta added Cartesia AI as a sub-processor for TTS (text-to-speech).

September 17, 2024

Effective September 17, 2024, Cresta has discontinued using MosaicML.

March 7, 2024

Cresta added MosaicML as a sub-processor for LLM model inference.

March 7, 2024

Cresta added Atlassian as a sub-processor for project management / ticketing.

February 21, 2024

Cresta added Fireworks.ai as a sub-processor for LLM model inference.

February 14, 2024

Effective February 14, 2024, Cresta has discontinued using Optimizely.

Third-party audits

Copy link
Compliance
March 3, 2025

Cresta updated its Trust Center with new audit reports and certificates for SOC2 Type II and ISO27001/27701/42001.

April 16, 2024

Cresta updated its Trust Center with new audit reports for SOC2 Type II, ISO27001/27701 and HIPAA.

Updates

Copy link
General
July 19, 2024

Cresta is aware of the ongoing CrowdStrike incident, but is not affected by it. We are closely monitoring the situation and are staying in contact with CrowdStrike.

Vulnerability Notification

Copy link
Vulnerabilities
March 30, 2024

Cresta is aware of CVE-2024-3094, related to malicious code being embedded in XZ Utils versions 5.6.0 and 5.6.1. Cresta does not use the affected versions.

October 12, 2023

Cresta is aware of CVE-2023-44487 also known as "HTTP/2 Rapid Reset attack", related to HTTP/2 capable web servers where rapid stream generation and cancellation can result in additional load which could lead to a Denial of Service. Mitigations were implemented to address the vulnerability.

If you think you may have discovered a vulnerability, please send us a note.

Report Issue
Built onSafeBase by Drata Logo