Security & Trust

Last updated 2026-04-25. The deep version of what's on the homepage — written for vendor-security questionnaires.

Access to your cloud environment

  • Read-only. Crestline never has write or delete permissions to your cloud accounts. AWS engagements use cross-account IAM roles with the AWS managed SecurityAudit policy plus a small custom policy for read-only services not covered by SecurityAudit; Azure engagements use an app registration with the Reader role on the target subscriptions; M365 engagements use a service account with read-only Graph API scopes.
  • Short-lived. Roles use STS-issued credentials with session durations under one hour. The role's external ID rotates per engagement.
  • You own the role. You create the role from a CloudFormation / Bicep template we provide; you can delete it at any time and the access is revoked.
  • Audit trail. Every assume-role action is logged to your CloudTrail / Azure Activity Log. We log every action we take in our own audit trail too.

Where your data lives

  • AWS, US-East-1. Single AWS account (652253417224), all data resident in us-east-1. We can deliver to other regions on request for an additional engineering fee.
  • DynamoDB — structured findings, customer records, scan metadata, attestations. Encrypted at rest with AWS-managed KMS keys; point-in-time recovery enabled across all tables.
  • S3 — raw scan outputs (Prowler OCSF JSON). Bucket-level encryption, versioning enabled, public-access blocked, 90-day lifecycle to auto-deletion.
  • Secrets Manager — encrypted customer cloud credentials. Never logged, never exposed via API.
  • No third-party data residency. We use AWS Bedrock for AI narrative generation; prompts and outputs do not leave AWS, and we do not opt in to Bedrock model improvement / retraining.

Multi-tenant isolation

Every customer-scoped portal and admin route is gated by a customer-resolution decorator (@can_access_customer, @can_access_scan, @can_access_finding, @can_access_api_token) that returns 404 / 403 if the calling user belongs to a different customer than the resource. The decorators are exhaustively tested by a 176-test multi-tenant isolation suite that runs on every pull request — a route added without the decorator fails CI immediately.

Software supply chain

  • Pinned dependencies. requirements.in is the source of truth, requirements.txt is a hashed lockfile generated by pip-compile. Installs are --require-hashes; a tampered package triggers an install failure.
  • SBOM on every deploy. A CycloneDX SBOM is generated from the lockfile on every push to main and uploaded as a workflow artefact tagged with the commit SHA. Request the SBOM as part of your vendor security review.
  • Dependabot opens automatic PRs weekly for pip / npm / GitHub Actions / Docker. pip-audit runs on every PR and surfaces known CVEs.
  • Vulnerability disclosure. See SECURITY.md. 48-hour acknowledgment, 30-day remediation target for criticals.

Audit, attestation, and compliance

  • SOC 2. No SOC 2 report yet. Crestline plans to pursue SOC 2 Type 1 once the platform has 3-5 paying customers and a meaningful operating window. Until then, we answer SOC 2-style questions in vendor security questionnaires using the controls described on this page.
  • Penetration test. No third-party pen-test letter yet. Planned at customer #5+ — we'll publish the letter when we have one.
  • HIPAA. AWS Business Associate Addendum signed between Crestline and AWS. Crestline-side BAA template available for HIPAA-scoped engagements (additional regulated-data surcharge applies — see pricing).
  • PCI. Crestline does not enter your cardholder data environment (CDE). Engagements involving PCI environments include scope-exclusion contract language defining what's in/out — Crestline stays out of PCI compliance scope itself.

Incident response

If Crestline is the source of a security event affecting your data: notification within 24 hours of confirmation, follow-up cadence agreed in writing, post-incident summary within 5 business days. SEV-1 customer-affecting events are responded to within 4 business hours (Default tier) or 1 business hour (Premium tier) per the SLA exhibit. The internal IR runbook is at docs/runbooks/security-incident-response.md.

Data retention & deletion

See the deeper data retention policy — TL;DR: raw scan outputs auto-delete at 90 days, structured findings are retained until you delete your account, and account deletion is a single customer-self-service action from the portal.

What we don't do

  • No remediation execution. We deliver findings, prioritization, compliance mapping, and advisory walkthroughs; your engineering team or your MSP partner ships the fixes. We are not a managed security service.
  • No write or delete access to your cloud environment, ever.
  • No PHI / cardholder data ingestion. Our scans read configuration metadata — IAM policies, network rules, encryption settings — not your data.
  • No public AI training on your data. Bedrock invocations are not opted into model improvement.

Open questions?

Vendor security questionnaire? security@crestlinesecurity.com — we'll fill it in within one business day for questionnaires under 100 questions, two for longer ones. Retainer customers get this turnaround at no extra charge as part of the support tier.