Skip to main content

Security and Compliance

Crystallize users and customers trust us to keep their data safe. We take security very seriously and aim to be as clear and open as possible about the way we handle security.

If you have any questions or concerns, please contact the Crystallize team.

Vulnerability Reporting

If you would like to report a security concern or a potential vulnerability, please contact

GDPR and CCPA Compliance

Crystallize is fully compliant with the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). We follow industry best practices for security and privacy, and we handle our customers’ personal data with great care, as detailed in our Data Processing Agreement. Our third-party processors are carefully selected and also fully compliant.

Infrastructure Compliance and Security

Amazon Web Services (AWS)

Crystallize is hosted on Amazon Web Services. AWS is compliant with several IT standards and recognized as a world leader in computing services.

Global certifications include: CSA (Cloud Security Alliance Controls),  PCI DSS Level 1 (Payment Card Standards), ISO 9001 (Global Quality Standard), SOC 1 (Audit Controls Report), ISO 27001 (Security Management Controls), SOC 2 (Security, Availability, & Confidentiality Report), ISO 27017 (Cloud Specific Controls), SOC 3 (General Controls Report), ISO 27018 (Personal Data Protection).

For a full list of infrastructure certifications, please refer to the AWS Compliance Programs.

Crystallize employees do not have physical access to data centers, nor do they have any access to the underlying Amazon infrastructure.

For physical and environmental details, network and data security is described in the Amazon Web Services Security White paper.

MongoDB Atlas

Databases run on MongoDB Atlas, which offers enterprise-level security features used to control who can access, manipulate, and delete data in our databases:

  • Network isolation and access
  • Encryption in flight and at rest
  • Granular database auditing

MongoDB Atlas undergoes independent verification of platform security, privacy, and compliance controls.

Learn more about MongoDB Atlas’ security controls and features, including data storage, access controls, and application security, in their white paper.

ElasticSearch Cloud

Search indexes run on ElasticSearch Cloud. Elastic operates in compliance with key information security standards and regulations. Their services are independently audited and confirmed to meet privacy and compliance standards for data security and privacy via certifications and attestations.

Application Security

We keep all your data private and safe.


Login to Crystallize is managed via external authentication providers. Crystallize is currently using AWS Cognito to manage this. Crystallize login is passwordless via magic link or using Social Connect like Google Connect, Facebook Connect, Github Connect, or Twitter Connect via OAuth 2. Users' passwords will never be transferred to Crystallize. Crystallize also does not gain access to any external resources associated with the user account.

Access Control Management

All access to our infrastructure is based on the principle of least privilege. Only a hand-picked and experienced group of employees has access to production servers. As part of our Corporate Security measures, this access is renewed and revoked following the employees' lifecycle in the company.


All access to the Crystallize user interface and API is encrypted with HTTPS transport layer security (TLS). The use of HTTPS websites also safeguards your important data and credentials against unauthorized third-party access.


All our data, including Amazon S3 buckets and databases, is backed up:

  • hourly, retained for one day
  • daily, retained for 7 days
  • weekly, retained for a month
  • monthly, retained for a year

In addition, with respect to databases, MongoDB Atlas features a point-in-time restore, which allows us to go back to a previous database state.

Development and Releases

We follow a strict testing procedure (with and without automation) for every release of new versions and components. 

We keep our code secure. Our developers are constantly trained and obliged to follow industry best practices for software development and security, such as OWASP.

Corporate Security


All employees at Crystallize have signed confidentiality agreements. 


Access to data is extremely restricted. Employees are only given access to systems they require for their roles. We have strict and secure onboarding and offboarding processes for employees.

There are no passwords stored in plaintext in any of the tools that we are using. We use Bitwarden as a password management service to store sensitive information such as website credentials in encrypted vaults.

Multi-factor authentication is enforced throughout the main services Crystallize employees rely on.

Code Peer Review and Quality Assurance (QA)

Our development process follows a strict Git flow based on GitHub’s pull request. Our continuous integration/continuous development (CI/CD) practices protect against regression, and our engineers review pull requests in pair programming to effectively merge features with the fewest possible bugs and vulnerabilities.

Each new feature is first deployed to our staging environments (which do not contain any production data) to perform QA and testing. Then the feature is deployed and marked as “Experimental” for a period of time, allowing us to produce and serve a robust and performant API.