Crisp takes your security and the security of your website visitors very seriously. Our team implemented security best-practices at every level.
Security Practices In Our Team
Our whole team implements strict security practices regarding how they access their accounts:
- Crisp always refused to sell any data and our policy is to respect your data privacy. Our business model is based on paid Crisp subscriptions. Not on your data
- Two Factor Authentication on third-party services Crisp uses
- Our SSH keys are all password-protected
- All Crisp features are designed around security and reliability
- Every computer running Crisp development tools is secured and up to date
- All Crisp employees, agents, and providers are trained in data-security practices each year
- Security policies are yearly reviewed for all employees and relevant subcontractors
- Employees that can access customer data via our internal system have different security levels. We make sure they only have access to relevant data (ie. no chat message, no end-customer data). It contains different permission levels, access logs, TOTP, rate-limits and safety checks
- All Crisp employee computers are encrypted
- No Crisp employee computers are not storing customer data
- We don't have any servers, security keys in our offices, this way we make sure that Crisp, and your data is not at risk in case of an intrusion in our offices.
- Crisp uses encrypted backups so we are able to recover customer data in case of emergency
Server hardening is also critical in ensuring the best security for our users.
Here are some of our practices in terms of infrastructure management:
- All the servers and services are running latest security updates and patched immediately when a kernel vulnerability is published
- Messaging servers are hosted in 🇳🇱 The Netherlands
- Plugin servers are hosted in 🇩🇪 Germany
- Denial-of-service protections are set everywhere (this ensures service resiliency under attack)
- Our architecture is replicated in micro-services, ensuring service continuity in case of hardware failure
- We have different layers of databases which are all replicated around the world
- Our network is protected with firewalls
- Our system runs an automated monitoring system allowing us to be aware of issues before those affects our customers.
- Technical staff uses pagers so we are notified of incidents immediately (even when everyone is asleep and phones are set to silent mode)
- Crisp infrastructure was designed to continue running as normal even in case of server incidents
- All Crisp domains are protected with DNSSEC
- Server authentication using protected SSH keys and direct password authentication is not possible
- SSH services are not publicly reachable and are limited to a set of allowed IPs
- Abusing IPs get automatically banned or rate-limited (prevents brute-force attacks on accounts)
- We use hardware token generators for all of our sensitive infrastructure-related accounts (hardware-backed TOTP)
Crisp strictly implements the GDPR regulation, that aims at protecting user data and providing a right to modify and delete such data, as well as to consent to data collection.
Encryption has become so cheap and convenient today that it's now possible to enable it everywhere. All public network channels on the Crisp platform are fully encrypted. This comes for both assets loading (Web resources), and real-time chat channels (user messages and user data).
Our encryption techniques implement state-of-the-art practices:
- Strong TLS keys: RSA, 2048 bits
- Elliptic-Curve Cryptography
- Forward-Secrecy with Diffie-Hellman parameters
- HTTP Strict Transport Security
We dropped legacy encryption methods to alleviate known attacks:
- The old SSL protocol is completely disabled (we use TLS)
- Legacy ciphers are disabled (eg: RC4)
This allows you and your users to stay safe:
- Hide the data as it is being transmitted on the network
- Prevent all modification of data as it is being transmitted on the network
- Prevent MITM (Man-in-the-middle attacks)
- Allow the service to work on restricted networks, over strict proxies
If you find any security hole in the Crisp REST API (or any other system), you are more than welcome to report it directly to email@example.com.
⚠️ You must encrypt your email using the following GPG public key:
-----BEGIN PGP PUBLIC KEY BLOCK----- mQINBFlWVUwBEACgjELT2BnTqTKD6FbxEKLyy8M4dfbTo6mu6EwM4u5+deiB1yHI j3GYCjKYoiS2KqxZvcbO6bO3ZxgQ9sa+So+7NjZrgQ1oJAvUGHZPAUHYj39Brrz1 FjmmlVcbD/Ugxi8yi8dSLUwx8/Z0NC0dX57ZgKGoonj+4SYV6O7cvJlwbhv+tFom EYS+madsXeASWsWVAM3gcWjnLKnS0S0FYTXOKV9qs4bhM5BA8jqL0bQoupZeDk5F WSS1aNDTb6++XPxgEop+Ki2TOyYgLDtA8TsvRa+14fnEhNQGTzDnSGxa1Ghr5sTP wWqZxasGJTBh+HIE1aq+unIK4oDFpyEkbADE1nxFhwwNBnt3DBToBffyHM5Hb+m1 72C+1CgaxcAdjLoDOKacPPgwY7gs3DpFxboU1oBZFF8NKNViB6+7qpxC9b/unMaS VJ0A3LYdQEoLLI23y8dh2ERWKN2xHZA0mjJbBLpahIsMOjR8p79mvYyYdgWnVaeR dRiFbSWembdvSMVUoBenpqSsG1aJfe1YKczrA/v9JJ5a5UNESFqOHP9DbY+1fhpA kMu69VpC2Y1ax9wTK5oojrX+iyYo1z3EJj+fzdXZOj1+8/eFEwvgEAY2fpzWdoEV qjK46Y9AjvjTwJnVC3ESfDyGH4VLrp/3ioXSRHggjsLU6+wc3qUiLheEkwARAQAB tCdDcmlzcCBJTSBTZWN1cml0eSA8c2VjdXJpdHlAY3Jpc3AuY2hhdD6JAjkEEwEI ACMFAllWVUwCGwMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRDbqXksitKN xUB4D/4jvDTm79mbh6ekeB0tDn+IEfUFG5pU6YeWM3uA1D4zQjaqvVkIttKbHRzx MaCBmRtzmQBCZQCOy9CMgKsPt80KXudoGk/hiyU9jziS+jVuJNgF3pZzDaxzzSXX NqDI7XDBxkBmFiDdXZtf+PiOvRTjEmwZ+CYZvCfKYiNLCN7vNVRV7z2wsNer54aY al+rza0Lh3ZKvI7UDRIqOU3dW1boVt2anEzC6MYDmJJZ+2v9loxxN66Us/AAyx8X kd2U1AlQDMWmNgc6u7Kjv3C5nn0Jxgw7T0KbKqp2y+SxE5P4CjCeBpEcgiGEhltk fd2UpsPMtG5jh9rCVvdu1VENefLfrxxF1z8y96qdsjJMb+RLO06TUOIVDNCHak1q ox9+hNBg8ktWQLSXRV+PlzH8B+DNOdUJa+rhtU9uKYyppcPoaQhM1BJVncFvb7Cc eYuADlfYkgQQBMOX/NoYoWfrDQvNYh4fkxueZTJAlbwp9GwXha9dIhqt6AdLCFuY XjTfg5/E+qsGcxEnATeia9RmOmlzrKOUqBw6fstFDyuwyH1afjyEC/BkEVhx7db7 zzdC9z8EPUOzmbvgp51N9niammNXM/twFNDxm/PEVFzgvjE2HVNPb8a0Nlkh4RUZ tqHBgJ7+Brue96E0EwXcL7sfJ1HusnNo5J8fzgjeISTch6phIbkCDQRZVlVMARAA 5BgyFa/MbnYxZmHJU49y42Jq8SXVfkSMwo0tS4LJlf7lozs1elB4xraXf9iVj8yz 2udnwaMKWolvtR+OvDgEhUGPpnNs6rxaOtpF+SjeG7uUwAR+DrlKUpgbLozRR0Iy c4LGxXSgB68kKdNAF4soPoe0Rt8N6ubWTa62e+Bn3w3A0kWVFMvYgJx1Gg7UpRc5 H4Zk2uMAEHSULAfNDtsg+yj4gCcxU9tnz6S1q7/GTDj/jEedTrH+uqhEt8DcWDVw d8HD8sNHE5C9Fsp/VVkGqBQUarbsOyKrQRu8zlkiUP+U2XRGi65EoJswpLMqiD3b ZtmTVElP47zvtKAG7qF1caF0URisPRVa8LUo48ipWsl+hOOcihxTfdzaoZnhuyyr usdNcdH+wclgZ6oelTQj4JHLH1EeXJuY0qXQAwmy7uM0gNx8vALBuCohodm0v5Jj yRSZJ15VIZwNrO1OTIcAwza7ne9xOcxh7/DBAs3uCWhhttuuloo6aMd9eFDeio8V p2wCOS+u+c2Je/bvUcV5wHQOdwGwwdt+jxesNqW+j02U56b7Qy6p7SlCFVRic1AD uWszOx6O3jjhU+pJNyDGOEPaAGTb3YFN/cnwJ2UWN8V4fejlhsye8xWqM/9aYSmr VHKz8AlAuq3Pncj2JAQnkseCgKI4I2ZaWkvB+oJh/ScAEQEAAYkCHwQYAQgACQUC WVZVTAIbDAAKCRDbqXksitKNxdgiD/9ysag6YrUKyRI79A4AciKkJIWnR7Ckjwe5 p2GCDoxXioLh723LQVsVUUtZ7Gz56Km6ukCBaH3w3dqxwau/DaWuUmiJdD4mFrLk tFYBODg1VPeiYqX5+9oW2z/yF2mB5rscOXBlTDJAV9E3qIsU4w2yusiyWrcfsYLr 4dVaQYbot23GuTNShaeh2FqV6JNbb1FBND/9UcdCrsHzEFj3lNwKvFI1lP+jyqud eNfsaX9X3O3BBbTOa+Bi8SdodLy2W4opAT9s6B/jMUx52OTkwjhT42GxCmnkvCUF Z/jvYbANKFzU+7CGktAuyGw2N9g4AwTOtVK+J/5KWBf9YC4od2wT7pCHXjk7nN6+ 9FnlHSFbP186XcuWcckjKUJ3fjViwNEsZJzJ1tUEFu4dg3dgw4v0YS2z6CSietnP +qAIO4uUdjuxtRbr+6d0or+b38yi8BNtZMtei8y9h6goQsVQjdf2UC1LBPsMHbi3 8tmhWQIrfVkI6Cu/3yIk1CU0Gtgki0ouJw/VW8VWnCJqVZJWL4IbzSwVmx8MbzNy E8xcoA4H3uVLcXtwuPaKNzP/WirCNdjUNHR489WoWICRcoQTcnwykAzTK/6H2agO CwybFvUtfQ5g5gb9z9vdADwGA/MAdY+gWXaK8ZLfFuzncv/H2prm2WHOYWWKTZ7c TpSQPjhyZQ== =2Mci -----END PGP PUBLIC KEY BLOCK-----