Security and Compliance

Crystallize users and customers trust us to keep their data safe. We take security very seriously and aim to be as clear and open as possible about the way we handle security.


If you have any questions or concerns please contact the Crystallize team.

Vulnerability reporting

If you would like to report a security concern or a potential vulnerability please contact security@crystallize.com.

GDPR Compliance

Crystallize is fully GDPR compliant. We handle our customers’ personal data with great care as detailed in our Data Processing Agreement. We follow industry best practice for security and privacy. Our 3rd party processors are carefully selected and are fully compliant with GDPR.

The DPA sets out terms upon which Crystallize will process Personal Data on your behalf – in compliance with the EU General Data Protection Regulation (GDPR). See our Data Processing Agreement for details.

Infrastructure Compliance

Crystallize is hosted on Amazon Web Services. AWS is compliant with several IT standards and recognized as a world leader in computing services.

Global certifications including global certifications include: CSA (Cloud Security Alliance Controls),  PCI DSS Level 1 (Payment Card Standards), ISO 9001 (Global Quality Standard), SOC 1 (Audit Controls Report), ISO 27001 (Security Management Controls),  SOC 2 (Security, Availability, & Confidentiality Report), ISO 27017 (Cloud Specific Controls), SOC 3 (General Controls Report), ISO 27018 (Personal Data Protection).

For a full list of infrastructure certifications please refer to the AWS Compliance Programs.

Crystallize employees do not have physical access to data centers, nor access to the underlying Amazon infrastructure.

Infrastructure Security

Crystallize is running on AWS which is recognized as one of the most secure services providers in the industry.


For details on physical and environmental, network and data security is described in the Amazon Web Services Security Whitepaper.

Application Security - Authentication and access

Login to Crystallize is managed via external authentication providers. Crystallize is currently using AWS Cognito to manage this and have Google Accounts and Facebook via OAuth 2. Users passwords will never be transferred to Crystallize. Crystallize also does not gain access to any external resources associated with the user account. 

Application Security - Encryption

All access to Crystallize PIM UI and API is encrypted with HTTPS transport layer security (TLS).

Corporate Security

All employees at Crystallize have signed confidentiality agreements. Employees are only given access to systems they require for their roles.