Crossbeam Security Policy

This Security Policy is incorporated into and made a part of the written agreement between Crossbeam and Customer that references this document (the “Agreement”) and any capitalized terms used but not defined herein shall have the meaning set forth in the Agreement. In the event of any conflict between the terms of the Agreement and this Security Policy, this Security Policy shall govern.

SOC 2 (System and Organization Controls) is an industry-standard, regularly refreshed standard that focuses on non-financial reporting controls as they relate to security, availability, and confidentiality of a cloud service. Crossbeam currently audits against the SOC 2 Type II standard and offers its SOC 2 Type II report (which is deemed to be Crossbeam Confidential Information) upon written request no more than once annually. To the extent Crossbeam discontinues its SOC 2 Type II audit, Crossbeam will adopt or maintain a substantially equivalent, industry-recognized framework. Security reviews are available at https://security.crossbeam.com/. Crossbeam is not obligated to conduct security reviews or assessments through any platform (including customer or third party platforms).

Overview. Crossbeam requires authentication for access to all application pages on the Service, except for those intended to be public.

Secure Communication of Credentials. Crossbeam currently uses encrypted requests to transmit authentication credentials to the Service.

Password Management. Crossbeam has processes designed to enforce minimum password requirements for the Service. 

Password Hashing. User account passwords stored on the Service are hashed with a random salt using industry-standard techniques. 

Single Sign-On. If designated in an applicable Order, Customer can implement Single Sign-On (SSO) through Crossbeam’s SSO provider.  This allows Customer and its Users to login to the Service using their existing corporate credentials. 

Overview. Each time a User signs in, the Service assigns them a new, unique session identifier.

Session Timeout. All sessions are designed to have a hard timeout. 

Sign Out. When signing out, the Service is designed to delete the session cookie from the User’s system and to invalidate the session identifier on Crossbeam servers.

Crossbeam monitors and updates its communication technologies periodically with the goal of providing network security.

Crossbeam regularly updates network architecture schema and maintains an understanding of the data flows between its systems. Firewall rules and access restrictions are reviewed for appropriateness on a regular basis.

Crossbeam uses  security monitoring tools on the production servers hosting the Service. 

Access to Customer Data is restricted within Crossbeam to employees and contractors who have a need to know this information to perform their job function, for example, to provide Support, to maintain infrastructure, or for product enhancements (for instance, to understand how an engineering change affects a group of customers).

Crossbeam has implemented several employee job controls designed to help protect Customer Data stored on the Service. 

The infrastructure for the Service is designed to minimize service interruption due to hardware failure, natural disaster, or other catastrophes. Features include:

  • Data replication: To help ensure availability in the event of a disaster, Crossbeam replicates Customer Data across multiple data centers.
  • Backups: Crossbeam performs backups of Customer Data stored on the Service.

Crossbeam has an Incident Response Plan designed to promptly and systematically respond to security and availability incidents that may arise. The incident response plan is tested and refined on a regular basis.

The Service is designed to logically separate Customer’s Customer Data from that of other customers. Crossbeam’s application logic is designed to enforce this segmentation by permitting each User access only to accounts to which that User has been granted access. 

User roles specify different levels of permissions that Customer can use to manage its Users. Customer can invite Users to its Service account without giving all Users the same levels of permissions.