Безопасность в Crowdin

Организационная безопасность

Crowdin Information Security Policy requirements apply to the entire Crowdin organization and are mandatory for all employees and those involved in these business processes. ISMS is built on three pillars: people, processes, and technology, with an extensive implementation of a Zero Trust Architecture (ZTA). Zero Trust Architecture operates on the principle of "never trust, always verify", meaning that access to resources is never implicitly trusted based on the location of the user or the device. Instead, strict identity verification and continuous authentication are required for every access attempt, regardless of whether it originates from inside or outside the network perimeter. A Chief Information Security Officer (CISO) is responsible for ensuring the proper protection of information assets and technologies.

Обучение и осведомлённость в области безопасности

В Crowdin все сотрудники в течение года проходят постоянное обучение по вопросам безопасности и осведомлённости. Каждый новый член команды проходит базовое обучение по безопасности в течение первого месяца после приёма на работу. Мы проводим регулярные проверки доступа, обновляем пароли и работаем по принципу наименьших привилегий. Также необходимо пройти обучение по вопросам безопасности в зависимости от роли.

Аппаратная безопасность

All employee devices have encrypted hard drives. Only the appointed system administrator conducts hardware and software installation, configuration, or alteration. Delivery, removal of equipment to/from the data center facility is authorized, logged, and monitored. User-specific access credentials (e.g., user ID/password pair, etc.) are required to access workstation equipment, services, and applications.

• BYOD (Bring Your Own Device) is limited. Sensitive data is processed only on company-managed devices.
• Сompany-managed devices are equipped with MDM, binary authorization and monitoring systems, antivirus software, and controlled software updates.
• Mandatory Hardware Keys - Access to company data is controlled by mandatory hardware-based 2FA keys.
• Context-Aware Access - Access to corporate data is only allowed from company-managed devices.
• Location-based access restrictions are enforced.
• Binary Authorization and Monitoring - Only allowlisted binary files can be executed on employee devices.

Физическая охрана

Crowdin’s office is monitored and protected by an alarm system and equipped with fire alarm systems. Closed-circuit (CCTV) cameras are installed across the office and capture entrances, exits, and other designated areas. Crowdin employees do not have physical access to any of our production facilities, as our whole infrastructure is in the cloud. Secure areas are protected with entry controls, so only authorized personnel is allowed access.

Сетевая безопасность

Our internal network is restricted, segmented, password-protected, and all network security-related events are logged.

Безопасность программного обеспечения

Crowdin employs a team of 24/7/365 server specialists to keep our software and its dependencies up to date, removing potential security vulnerabilities. We use monitoring solutions to prevent and eliminate site attacks.

• Software Allowlisting - Only approved software and browser plugins are allowed on company devices.
• OAuth App Control - OAuth apps with access to corporate data are continuously controlled and monitored.
• Cloud services access is through SAML with context-aware access.

Incident Response

Crowdin implements a protocol for handling security events which includes escalation procedures, rapid mitigation and post mortem. All employees are informed of our policies.

Проверка сотрудников

Crowdin performs background checks on all new employees, contractors, or other individuals who have access to systems or the network or physical data center facilities in accordance with local laws.

Безопасность третьих лиц и агенств

Crowdin maintains vendor risk management practices to ensure third parties are scrutinized and maintain expected levels of security controls. View our List of Sub-processors.

Безопасная, надежная инфраструктура

Crowdin uses Amazon Web Services (AWS) data centers for our computing infrastructure, with geographical restrictions in place to ensure data processing is limited to specific countries to enhance security. AWS has ISO 27001 certification and has completed multiple SSAE 16 audits. For more information on their security measures, visit AWS Cloud Security page. AWS Cloud Security page.

In addition to the benefits provided by AWS, our application has additional built-in security features:

• Двухфакторная аутентификация
• Единый вход через SAML 2.0
• REST API Authentication - API token with granular permission control
• Права на основе ролей
• Резервные копии и управление версиями
• Crowdin enforces a password complexity standard
• Device Verification feature provides an additional layer of security, protecting accounts in case a password is compromised

Обязательства PCI

When you sign up for a paid Crowdin account, we do not store any of your billing information on our servers. All payments made to Crowdin go through our partner, FastSpring. They are compliant with PCI Security Standard. More details about their security setup can be found on Stripe's Risk Management + Compliance page.

Время работы

Check our past month stats at https://status.crowdin.com/. You can request an SLA agreement as a separate service, for this contact us at onboarding@crowdin.com

Доступ к данным

Access to customer data is limited to authorized employees who require it for their job. An example of this is our Support team. The support team representatives may only have access to the files or settings needed to solve issues submitted by customers.

Непрерывность бизнеса и аварийное восстановление

We have developed, regularly test and update both a Disaster Recovery Plan and a Business Continuity Plan.

Penetration Testing

Crowdin performs annual penetration testing conducted by an independent, third-party security audit company. No customer data is exposed to the company during testing. A summary of the penetration test results is available to enterprise customers upon request.

If you have any questions about security at Crowdin or would like to submit a vulnerability report, please contact us at support@crowdin.com.

We will work with you to assess the issue and fully address any concerns. Emails about security issues are treated with the highest priority. Safety and security of our service are our top priorities.