Security at Creately

At Creately, security is foundational to our platform and our culture. We are committed to providing a secure environment for our users’ ideas, diagrams, and data. We utilize a multi-layered security approach, combining rigorous internal audits, independent third-party certifications, and enterprise-grade technical safeguards.

Global Compliance & Certifications

We demonstrate our commitment to security through continuous independent validation of our controls and processes.

SOC 2 Type 2

We have successfully completed a SOC 2 Type 2 audit. This assessment confirms that our security controls are not only designed correctly but are consistently operated to protect customer data. Our report validates our adherence to the Trust Services Criteria for Security, Availability, and Confidentiality.

ISO 27001

Creately is ISO 27001 certified. This certification demonstrates that we maintain a comprehensive Information Security Management System (ISMS) that meets global standards for risk management, security resilience, and operational excellence.

HIPAA

We support healthcare and life sciences organizations by maintaining HIPAA compliance. We have implemented the necessary technical and administrative safeguards to protect electronic Protected Health Information (ePHI) and are prepared to sign Business Associate Agreements (BAAs) with our enterprise partners.

GDPR & Data Privacy

We are fully committed to GDPR compliance and the protection of individual privacy rights.

  • Data Residency: We offer regional data hosting options in the United States, Europe (EU), and Australia to help customers meet local data sovereignty requirements.
  • Privacy by Design: Security and privacy considerations are integrated into every stage of our product development lifecycle.

Technical Safeguards

Data Protection

We ensure your data is protected at all times using industry-standard protocols:

  • In Transit: All communication between your devices and our platform is encrypted using TLS 1.2 or higher.
  • At Rest: Customer data, including backups and metadata, is encrypted using AES-256 encryption.

Payment Security

We prioritize the security of your financial information. All credit card processing is handled by a PCI-DSS Level 1 certified company.

  • No Sensitive Storage: We do not store your credit card or CVV numbers on our own servers.
  • Secure Handling: Payment information is transmitted directly to our certified payment processor via encrypted channels, ensuring that your sensitive financial data is handled with the highest level of industry compliance.

Infrastructure Security

Our platform is hosted on world-class, Tier-1 cloud infrastructure providers that maintain the highest levels of physical and environmental security.

  • Network Isolation: Our production environments are logically isolated from development and testing environments.
  • Redundancy: Our architecture is designed for high availability with automated failover and regular backup procedures.

Vulnerability Management

  • Independent Testing: We engage independent security firms to conduct comprehensive penetration tests on our platform periodically.
  • Continuous Scanning: We employ automated tools to scan our source code and infrastructure for vulnerabilities and misconfigurations.
  • Patch Management: We follow a strict internal schedule for deploying security patches to our infrastructure and third-party dependencies.

Access & Identity Management

We provide the administrative controls necessary to secure your organization’s workspace.

  • Enterprise SSO: We support SAML-based Single Sign-On (SSO) with major identity providers for centralized user management.
  • Multi-Factor Authentication (MFA): We provide MFA options to ensure that only authorized users can access your account.
  • Granular Permissions: Our Role-Based Access Control (RBAC) allows administrators to manage data access at a granular level, ensuring the principle of least privilege is maintained.

Trust & Transparency

We believe in providing our customers with the evidence they need to trust our platform.

  • Third-Party Risk Management: We maintain a formal vendor management program. Before partnering with any third-party sub-processor that handles customer data, we conduct a comprehensive security review of their compliance posture and security controls.
  • Continuous Monitoring: We periodically review our critical vendors to ensure they continue to meet our high security and privacy standards.
  • Sub-processor Transparency: In accordance with global privacy regulations, we maintain an up-to-date list of our sub-processors, available to our customers upon request.

Our Security Package is available to enterprise customers under NDA and includes:

  • Our latest SOC 2 Type 2 Report
  • Our ISO 27001 Certificate
  • Our Data Processing Addendum (DPA)
  • HIPAA BAA Templates

Encryption and Key management

Encryption in transit

  • All customer data is encrypted in transit over public networks using Transport Layer Security (TLS) 1.2 or higher with Perfect Forward Secrecy (PFS) to prevent unauthorized disclosure or tampering. Creately’s implementation of TLS enforces the use of strong cipher encryption wherever it supports.

  • Our SSL servers scored an A+ on Qualys test.

Encryption at rest

  • All document content is encrypted at rest with AES-256.

Backups and Reliability

  • Our datastores are backed up every 24 hours.
  • All our systems are fully redundant and clustered.
  • We do periodical exercises to ensure that the disaster recovery process is smooth and capable of restoring the operations in a reasonable timeline.

Password Storage

  • All our passwords are salted and hashed with multiple hash algorithms

Payments and Credit Card Data storage

  • All payments made to Creately go through Chargebee who are PCI-DSS certified. We don’t store any of your card data or payment related information on our systems.

Data Center Security

  • Creately’s servers and your data are hosted in Amazon Web Services (AWS) data centres. Amazon has proper controls in place to assure physical and network security. AWS data centres are housed in nondescript facilities where physical access is strictly controlled both at the perimeter and at building access points by professional security staff, video surveillance, intrusion detection systems, and other electronic means. Access to their data centre floors requires two-factor authentication a minimum of two times.

  • AWS maintains multiple certifications for its data centers, ISO 27001 compliance, PCI Certification, and SOC reports. The reports and further details can be found at https://aws.amazon.com/security/.

Architectural Security

Creately had been designed with security in mind which is reflected in our network and server infrastructure, and application design. We include risk assessments in every SLDC phase considering security as a vital part of our architecture.

Network Security

  • Creately practices a layered approach to network access with controls in each and every layer of the stack.
  • We have implemented controls at each layer dividing our infrastructure by zones, environments and services.
  • We have zone restrictions in place in our offices, data centres and platform network traffic. Segregated staging and production environments, whitelisted communication endpoints to ensure no compromisation.
  • We control access to sensitive networks via Virtual Private Cloud (VPC) routing, firewall rules and software defined networking and all communications via end to end encryption.
  • Staff connectivity is secured with device certificates, multi-factor authentication and use of proxies for sensitive network access. Access to customer data requires explicit review and approval.
  • We have also implemented Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) in all our offices and production environments to identify and prevent potential security issues.
  • We are monitoring our infrastructure and application / services 24/7. We also have set up alerts to identify any security breach attempts and downtime.
  • We adhere to the best practices for OS and application patch management.

Operational Security & Practices

We give our day to day operations and practices the same priority as we give on securing our architecture.

Access to Customer Document Data

  • Within our environment we treat all customer data as equally sensitive and have strict controls governing this data. We will not access the customer data without an explicit authorization from the owner of the data. All access to customer data is logged and audited internally.
  • Within Creately, only authorized employees have access to the customer data stored within our systems. Authentication is done via individual passphrase protected public keys and the servers will accept incoming SSH connections from Createy Offices and internal data centre locations.
  • We treat any inappropriate and/or unauthorized access to customer data as a security incident and manage it through our security incident process which includes instructions to notify affected customer(s) if a breach is observed.

Support Access

  • Our support teams will only access customer information when necessary to resolve an open ticket and upon explicit customer request or consent.

Training/ Awareness

  • Our security training and awareness is not held just for the compliance sake but to give broad knowledge and deep understanding on the security aspects of their work and day to day processes and practices.
  • We don’t stop at the security awareness training for new hires. We conduct periodical training workshops on security issues and how to prevent / mitigate for continuous improvement.

Change Management

  • We practice a change management process which informs and uses an approval workflow to get consent from stake-holders.
  • All changes are peer-reviewed, and is part of our CI process.
  • Our Continuous Integration (CI) tool will check and flag if any change once merged into the master branch will create issues through our integration, unit, functional or security tests.

Employee Recruitment

  • We run background checks and other necessary security clearance when we onboard a new employee.

Security Incident Management

  • Our security team aggregates logs from a number of sources in the infrastructure and makes use of a Security Information and Event Management (SIEM) platform to monitor and flag any suspicious activity.
  • Our internal processes define how these alerts are triaged, investigated further and escalated appropriately.

Vulnerability Management

  • Our security team performs on-going network and infrastructure vulnerability scans using an industry leading vulnerability scanner.
  • We also use external security consulting firms to conduct penetration tests on infrastructure, web sites and apps whenever there is any new architectural design change or we set up our infrastructure in a new data centre.
  • Internal processes are in place to review any reported vulnerabilities and mitigate / secure us against them. This process includes predefined timelines for patching the vulnerabilities based on their CVSS (v3.1) score.

Report a Vulnerability

We would greatly appreciate any effort you take to report a security vulnerability in Creately. You can contact support to report any concern or security incidents you may have, and we’ll work on it right away.