Security

Security at CRATrust

We handle sensitive compliance data. Security is not an afterthought; it is a core product requirement and a direct reflection of the standards we help our customers meet.

Security measures

Encryption

All data in transit is encrypted with TLS 1.2 or higher. Data at rest is encrypted with AES-256.

Access controls

Role-based access controls, multi-factor authentication, and least-privilege principles enforced throughout.

EU infrastructure

All data is hosted on servers located within Germany (EU). We do not transfer data outside the EEA.

Monitoring

24/7 infrastructure monitoring, intrusion detection, and automated anomaly alerting.

Incident response

Documented incident response plan. Affected customers notified within 48 hours of a confirmed breach.

GDPR compliance

Personal data processed in accordance with GDPR. Data minimisation, purpose limitation, and your rights to access, rectification, and erasure are fully supported.

Vulnerability disclosure

If you discover a security vulnerability in CRATrust, we ask that you report it to us responsibly before disclosing it publicly. We commit to:

  • Acknowledge receipt of your report within 48 hours
  • Provide a status update within 7 days
  • Work with you to understand and resolve the issue promptly
  • Not pursue legal action against researchers acting in good faith
  • Credit researchers in our security acknowledgements (if desired)

Please report security issues to: [email protected]

For sensitive reports, please encrypt your message using our PGP key (available on request).

Questions about security?

Our security team is available to answer questions from enterprise customers about our security posture, penetration testing results, and compliance certifications.

Contact us

CRATrust Support

Typically replies in minutes

Hi there!

Ask us anything about CRA compliance. We're here to help.