Crossbeam Security Policy

This Security Policy is incorporated into and made a part of the written agreement between Crossbeam and Customer that references this document (the “Agreement”) and any capitalized terms used but not defined herein shall have the meaning set forth in the Agreement. In the event of any conflict between the terms of the Agreement and this Security Policy, this Security Policy shall govern.

1. Risk Management

SOC 2 (System and Organization Controls) is an industry-standard, regularly refreshed standard that focuses on non-financial reporting controls as they relate to security, availability, and confidentiality of a cloud service. Crossbeam currently audits against the SOC 2 Type II standard and offers its SOC 2 Type II report (which is deemed to be Crossbeam Confidential Information) upon written request no more than once annually. To the extent Crossbeam discontinues its SOC 2 Type II audit, Crossbeam will adopt or maintain a substantially equivalent, industry-recognized framework. Crossbeam will maintain ISO 27001 and ISO 27701, to the extent Crossbeam discontinues its certifications under ISO 27001 and ISO 27701 Crossbeam will adopt or maintain an equivalent, industry-recognized framework. Security reviews are available at https://security.crossbeam.com/. Crossbeam is not obligated to conduct security reviews or assessments through any platform (including customer or third party platforms). The foregoing is not intended to limit the Customer’s audit rights which are set forth in Crossbeam’s DPA.

2. Access Controls
   1. Authentication

Overview. Crossbeam requires authentication for access to all application pages on the Service, except for those intended to be public.

Secure Communication of Credentials. Crossbeam currently uses TLS-encrypted requests to transmit authentication credentials to the Service.

Password Management. Crossbeam has processes designed to enforce minimum password requirements for the Service. Crossbeam currently enforces the following requirements and security standards for end user passwords on the Service:

Passwords must be a minimum of 12 characters in length and include a mix of uppercase and lowercase letters as well as numbers and symbols;
Multiple logins with the wrong username or password will result in a locked account, which will be disabled for a period of time to help prevent a brute-force login, but not long enough to prevent legitimate users from being unable to use the application;
Email-based password reset links are sent only to a user’s pre-registered email address with a temporary link;
Crossbeam rate limits multiple login attempts from the same email address; and
Crossbeam prevents reuse of recently-used passwords. 

Password Hashing. User account passwords stored on Auth0 are hashed with a random salt using industry-standard techniques. Auth0 uses bcrypt to hash and salt passwords.

Single Sign-On. For select packages, customers can implement Security Assertion Markup Language (SAML) Single Sign-On (SSO) through Crossbeam’s SSO provider.  This allows a customer’s team to login to Crossbeam using their existing corporate credentials. Single Sign-On is available on enterprise packages only. Crossbeam also supports Google Oauth as a form of Single Sign-On.

3. Session Management

Overview. Each time a user signs into the Service, the system assigns them a new, unique session identifier, currently consisting of 64 bytes of random data designed for protection against brute forcing.

Session Timeout. All sessions are designed to have a hard timeout (currently set to 7 days). Single Sign-On sessions are configured with an inactivity timeout as well (currently, 4 hours). There is an optional setting to terminate any sessions after 15 minutes of inactivity.

Sign Out. When signing out of the Service, the system is designed to delete the session cookie from the client and to invalidate the session identifier on Crossbeam servers.

4. Network and Transmission Controls

Crossbeam monitors and updates its communication technologies periodically with the goal of providing network security.

1. TLS and AES

Crossbeam encrypts all data at rest and in transit. Data is stored in AWS RDS/Aurora and encrypted with unique keys from AWS KMS. All database connections use TLS. HSTS is used to ensure browsers’ encryption of communication.

2. Network Security

Crossbeam regularly updates network architecture schema and maintains an understanding of the data flows between its systems. Firewall rules and access restrictions are reviewed for appropriateness on a regular basis.

3. Infrastructure Security

Crossbeam uses an Intrusion Detection System (IDS) and Endpoint Detection and Response (EDR), and other security monitoring tools on the production servers hosting the Service. 

5. Data Confidentiality and Job Controls
   1. Internal Access to Data

Access to Customer Data is restricted within Crossbeam to employees and contractors who have a need to know this information to perform their job function, for example, to provide customer support, to maintain infrastructure, or for product enhancements (for instance, to understand how an engineering change affects a group of customers). Access to Customer Data is protected with SSO and multi factor authentication (MFA) in addition to Secure Access Service Edge (SASE) at the device level.

Crossbeam currently requires the use of single sign-on, strong passwords and/or 2-factor authentication for all employees to access production servers for the Service.

2. Data Security

Customer Data is protected through the use of Data Security Posture Management Tools. Customer Data is not used in test environments.

3. Job Controls

Crossbeam has implemented several employee job controls to help protect the information stored on the Service:

All Crossbeam employees are required to sign confidentiality agreements prior to accessing Crossbeam’s production systems;
All Crossbeam employees are required to receive security and privacy training at time of hire, as well as quarterly security and/or privacy awareness training; 
Employee access to production systems that contain your data is logged and audited; 
Crossbeam employees are subject to disciplinary action, including but not limited to termination, if they are found to have abused their access to customer data; and
Crossbeam employees are subject to background check prior to employment, where permitted by law. 

6. Security in Engineering
   1. Product Security Overview

The engineering process for the Crossbeam platform follows industry-standard code development processes designed to ensure security at the product development and engineering levels. Changes to servers are administered by members of the engineering team in a DevOps model. All changes to servers and infrastructure are implemented as code using industry standard tools and undergo the systems development lifecycle process as changes to the software. 

2. Code Assessments

The software Crossbeam develops for the Service is continually monitored and tested using processes designed to proactively identify and remediate vulnerabilities. Crossbeam regularly conducts:

Source code analysis designed to find common defects;
Peer review of all code prior to being pushed to production;
Manual source code analysis on security-sensitive areas of code; and
Third-party application security assessments and penetration tests. 

3. Penetration Testing

Crossbeam conducts, at a minimum, annual penetration tests of its Services. Crossbeam uses industry recognized and reputable firms with appropriate expertise to conduct such testing. The results of these tests are available for download at https://security.crossbeam.com.

4. Formal Policies

Crossbeam maintains formal security and privacy policies that are communicated to employees and contractors. The policies are reviewed and audited annually, and the result of those audits can be downloaded at https://security.crossbeam.com.

7. Asset Management
   1. Asset and Software Inventory

Crossbeam maintains an inventory of assets as well as software that is maintained and updated for accuracy.

8. Availability Controls
   1. Disaster Recovery

The infrastructure for the Service is designed to minimize service interruption due to hardware failure, natural disaster, or other catastrophes. Features include:

Cloud providers: Crossbeam currently uses Amazon Web Services, which is trusted by thousands of enterprises to store and serve their data and services.
Data replication: To help ensure availability in the event of a disaster,  the cloud provider replicates data across multiple data centers.
Backups: Crossbeam’s cloud provider performs daily, weekly, and monthly backups of data stored on the Service. All backups and snapshots are encrypted by default with AES256.

2. Incident Response

Crossbeam has an Incident Cybersecurity and Privacy Response Plan and Policy designed to promptly and systematically respond to security and availability incidents that may arise. The incident response plan is tested and refined on a regular basis. The results of these tests are available for download at https://security.crossbeam.com.

9. Segregation Controls
   1. Data Segregation

The Service is designed to logically separate each customers’ data from that of other customers. Crossbeam’s application logic is designed to enforce this segmentation by permitting each end user access only to accounts that the user has been granted access to.

2. User Roles

User roles specify different levels of permissions that the Customer can use to manage the users on the Service account. Customers can invite users to Customer’s Crossbeam account without giving all team members the same levels of permissions. 

10. Workforce Security
    1. Security and Privacy Awareness Training

Crossbeam conducts annual security and privacy awareness training of its workforce. New employees are required to take this training within 30 days of their start date.

11. Physical Security

Crossbeam uses a third party cloud platform (currently Amazon Web Services (“AWS”)) to host its production systems for the Service. Access to AWS’s data centers is limited to authorized personnel only, as verified by biometric identity verification measures. Physical security measures for AWS data centers include: on-premises security guards, closed circuit video monitoring, and additional intrusion protection measures. Crossbeam relies on AWS’s third party attestations of their physical security. Crossbeam is a fully remote company and does not maintain a physical office.

12. Patch and Vulnerability Management

Vulnerabilities meeting risk criteria defined by Crossbeam trigger alerts and are prioritized for remediation based on their potential impact to the Service. Upon becoming aware of such vulnerabilities, Crossbeam will use commercially reasonable efforts to address any vulnerabilities within a reasonable timeframe. Vulnerabilities which Crossbeam deems to be critical in nature will be remediated or mitigated within 30 days. Regardless of severity,  Crossbeam remediates or mitigates all vulnerabilities within 90 days.