Security Policy

At Cramigo, we take the security of your data seriously. This page describes our commitments and practices for keeping your information safe.

1. Infrastructure

Cramigo runs on enterprise-grade cloud infrastructure with built-in DDoS protection, automatic HTTPS, automated backups, high availability, and geographic redundancy. Our infrastructure providers maintain SOC 2 Type II compliance and undergo regular independent security audits.

2. Data Encryption

• In transit — All data transmitted between your browser and our servers is encrypted using industry-standard transport layer encryption.
• At rest — All data stored in our database and file storage is encrypted at rest using industry-standard encryption provided by our infrastructure partners.

3. Authentication

• Passwords are securely hashed before storage. We never store plaintext passwords.
• Email verification is required for new accounts.
• Session tokens are managed with secure, HTTP-only cookies and are automatically rotated.

4. Payment Security

All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. This means:

• Your credit card number, CVV, and billing details are processed entirely by Stripe and never touch our servers.
• We only store a customer identifier and subscription status to manage your account access.
• All payment pages use Stripe's hosted checkout, which is independently audited for security compliance.

5. Access Controls

• Data isolation — Access controls are enforced at the database level, ensuring users can only read and modify their own data.
• Admin access — Administrative operations are restricted to authorized team members and use separate elevated credentials that are never exposed to end users.

6. Application Security

Our application follows modern security best practices:

• All user inputs are validated and sanitized on the server side before processing.
• Security headers are configured to guard against common web attacks including clickjacking, content injection, and cross-site scripting.
• API endpoints are rate-limited to prevent abuse.
• We regularly review and update third-party dependencies to address known vulnerabilities.

7. Vulnerability Reporting

We welcome responsible disclosure of security vulnerabilities. If you discover a security issue, please report it to us privately so we can address it before it can be exploited.

Please include a detailed description of the vulnerability, the steps to reproduce it, and any potential impact. We ask that you give us reasonable time to investigate and resolve the issue before making any public disclosure.

8. Incident Response

In the event of a security incident that affects your personal data, we are committed to:

• Notifying affected users within 72 hours of confirming the breach.
• Providing a clear description of what happened, what data was involved, and what steps we are taking to address it.
• Working with our infrastructure providers to investigate the root cause and prevent recurrence.
• Reporting to applicable regulatory authorities as required by law.

9. Contact

If you have any questions about our security practices, please contact us: