Security Practices

Updated on September 21, 2021

Crisp takes your security and the security of your website visitors very seriously. Our team implemented security best-practices at every level.

Security Practices In Our Team

Our whole team implements strict security practices regarding how they access their accounts:

  • Crisp always refused to sell any data and our policy is to respect your data privacy. Our business model is based on paid Crisp subscriptions. Not on your data
  • Two Factor Authentication on third-party services Crisp uses
  • Our SSH keys are all password-protected
  • All Crisp features are designed around security and reliability
  • Every computer running Crisp development tools is secured and up to date
  • All Crisp employees, agents, and providers are trained in data-security practices each year
  • Security policies are yearly reviewed for all employees and relevant subcontractors
  • Employees that can access customer data via our internal system have different security levels. We make sure they only have access to relevant data (ie. no chat message, no end-customer data). It contains different permission levels, access logs, TOTP, rate-limits and safety checks
  • All Crisp employee computers are encrypted
  • No Crisp employee computers are not storing customer data
  • We don't have any servers, security keys in our offices, this way we make sure that Crisp, and your data is not at risk in case of an intrusion in our offices.
  • Crisp uses encrypted backups so we are able to recover customer data in case of emergency

Infrastructure Hardening

Server hardening is also critical in ensuring the best security for our users.

Here are some of our practices in terms of infrastructure management:

  • All the servers and services are running latest security updates and patched immediately when a kernel vulnerability is published
  • Messaging servers are hosted in 🇳🇱 The Netherlands
  • Plugin servers are hosted in 🇩🇪 Germany
  • Denial-of-service protections are set everywhere (this ensures service resiliency under attack)
  • Our architecture is replicated in micro-services, ensuring service continuity in case of hardware failure
  • We have different layers of databases which are all replicated around the world
  • Our network is protected with firewalls
  • Our system runs an automated monitoring system allowing us to be aware of issues before those affects our customers.
  • Technical staff uses pagers so we are notified of incidents immediately (even when everyone is asleep and phones are set to silent mode)
  • Crisp infrastructure was designed to continue running as normal even in case of server incidents
  • All Crisp domains are protected with DNSSEC
  • Server authentication using protected SSH keys and direct password authentication is not possible
  • SSH services are not publicly reachable and are limited to a set of allowed IPs
  • Abusing IPs get automatically banned or rate-limited (prevents brute-force attacks on accounts)
  • We use hardware token generators for all of our sensitive infrastructure-related accounts (hardware-backed TOTP)

Data Security

Crisp strictly implements the GDPR regulation, that aims at protecting user data and providing a right to modify and delete such data, as well as to consent to data collection.

You can find our full GDPR-oriented privacy policy on our What's Crisp EU GDPR compliance status? article (which applies to all our users, regardless of their location worldwide). This article lists the data we collect on our users, as well as their rights.

Ubiquitous Encryption

Encryption has become so cheap and convenient today that it's now possible to enable it everywhere. All public network channels on the Crisp platform are fully encrypted. This comes for both assets loading (Web resources), and real-time chat channels (user messages and user data).

Our encryption techniques implement state-of-the-art practices:

  • Strong TLS keys: RSA, 2048 bits
  • Elliptic-Curve Cryptography
  • Forward-Secrecy with Diffie-Hellman parameters
  • HTTP Strict Transport Security

We dropped legacy encryption methods to alleviate known attacks:

  • The old SSL protocol is completely disabled (we use TLS)
  • Legacy ciphers are disabled (eg: RC4)

This allows you and your users to stay safe:

  • Hide the data as it is being transmitted on the network
  • Prevent all modification of data as it is being transmitted on the network
  • Prevent MITM (Man-in-the-middle attacks)
  • Allow the service to work on restricted networks, over strict proxies
If you have questions regarding Crisp security, chat with us!

Vulnerability Disclosures

If you find any security hole in the Crisp REST API (or any other system), you are more than welcome to report it directly to security@crisp.chat.

🤝 Past disclosures: Hely Shah, John Gracey, Haq Khokhar, Sylvain Kerkour, Marek Geleta (many thanks to them!).

⚠️ You must encrypt your email using the following GPG public key:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFlWVUwBEACgjELT2BnTqTKD6FbxEKLyy8M4dfbTo6mu6EwM4u5+deiB1yHI
j3GYCjKYoiS2KqxZvcbO6bO3ZxgQ9sa+So+7NjZrgQ1oJAvUGHZPAUHYj39Brrz1
FjmmlVcbD/Ugxi8yi8dSLUwx8/Z0NC0dX57ZgKGoonj+4SYV6O7cvJlwbhv+tFom
EYS+madsXeASWsWVAM3gcWjnLKnS0S0FYTXOKV9qs4bhM5BA8jqL0bQoupZeDk5F
WSS1aNDTb6++XPxgEop+Ki2TOyYgLDtA8TsvRa+14fnEhNQGTzDnSGxa1Ghr5sTP
wWqZxasGJTBh+HIE1aq+unIK4oDFpyEkbADE1nxFhwwNBnt3DBToBffyHM5Hb+m1
72C+1CgaxcAdjLoDOKacPPgwY7gs3DpFxboU1oBZFF8NKNViB6+7qpxC9b/unMaS
VJ0A3LYdQEoLLI23y8dh2ERWKN2xHZA0mjJbBLpahIsMOjR8p79mvYyYdgWnVaeR
dRiFbSWembdvSMVUoBenpqSsG1aJfe1YKczrA/v9JJ5a5UNESFqOHP9DbY+1fhpA
kMu69VpC2Y1ax9wTK5oojrX+iyYo1z3EJj+fzdXZOj1+8/eFEwvgEAY2fpzWdoEV
qjK46Y9AjvjTwJnVC3ESfDyGH4VLrp/3ioXSRHggjsLU6+wc3qUiLheEkwARAQAB
tCdDcmlzcCBJTSBTZWN1cml0eSA8c2VjdXJpdHlAY3Jpc3AuY2hhdD6JAjkEEwEI
ACMFAllWVUwCGwMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRDbqXksitKN
xUB4D/4jvDTm79mbh6ekeB0tDn+IEfUFG5pU6YeWM3uA1D4zQjaqvVkIttKbHRzx
MaCBmRtzmQBCZQCOy9CMgKsPt80KXudoGk/hiyU9jziS+jVuJNgF3pZzDaxzzSXX
NqDI7XDBxkBmFiDdXZtf+PiOvRTjEmwZ+CYZvCfKYiNLCN7vNVRV7z2wsNer54aY
al+rza0Lh3ZKvI7UDRIqOU3dW1boVt2anEzC6MYDmJJZ+2v9loxxN66Us/AAyx8X
kd2U1AlQDMWmNgc6u7Kjv3C5nn0Jxgw7T0KbKqp2y+SxE5P4CjCeBpEcgiGEhltk
fd2UpsPMtG5jh9rCVvdu1VENefLfrxxF1z8y96qdsjJMb+RLO06TUOIVDNCHak1q
ox9+hNBg8ktWQLSXRV+PlzH8B+DNOdUJa+rhtU9uKYyppcPoaQhM1BJVncFvb7Cc
eYuADlfYkgQQBMOX/NoYoWfrDQvNYh4fkxueZTJAlbwp9GwXha9dIhqt6AdLCFuY
XjTfg5/E+qsGcxEnATeia9RmOmlzrKOUqBw6fstFDyuwyH1afjyEC/BkEVhx7db7
zzdC9z8EPUOzmbvgp51N9niammNXM/twFNDxm/PEVFzgvjE2HVNPb8a0Nlkh4RUZ
tqHBgJ7+Brue96E0EwXcL7sfJ1HusnNo5J8fzgjeISTch6phIbkCDQRZVlVMARAA
5BgyFa/MbnYxZmHJU49y42Jq8SXVfkSMwo0tS4LJlf7lozs1elB4xraXf9iVj8yz
2udnwaMKWolvtR+OvDgEhUGPpnNs6rxaOtpF+SjeG7uUwAR+DrlKUpgbLozRR0Iy
c4LGxXSgB68kKdNAF4soPoe0Rt8N6ubWTa62e+Bn3w3A0kWVFMvYgJx1Gg7UpRc5
H4Zk2uMAEHSULAfNDtsg+yj4gCcxU9tnz6S1q7/GTDj/jEedTrH+uqhEt8DcWDVw
d8HD8sNHE5C9Fsp/VVkGqBQUarbsOyKrQRu8zlkiUP+U2XRGi65EoJswpLMqiD3b
ZtmTVElP47zvtKAG7qF1caF0URisPRVa8LUo48ipWsl+hOOcihxTfdzaoZnhuyyr
usdNcdH+wclgZ6oelTQj4JHLH1EeXJuY0qXQAwmy7uM0gNx8vALBuCohodm0v5Jj
yRSZJ15VIZwNrO1OTIcAwza7ne9xOcxh7/DBAs3uCWhhttuuloo6aMd9eFDeio8V
p2wCOS+u+c2Je/bvUcV5wHQOdwGwwdt+jxesNqW+j02U56b7Qy6p7SlCFVRic1AD
uWszOx6O3jjhU+pJNyDGOEPaAGTb3YFN/cnwJ2UWN8V4fejlhsye8xWqM/9aYSmr
VHKz8AlAuq3Pncj2JAQnkseCgKI4I2ZaWkvB+oJh/ScAEQEAAYkCHwQYAQgACQUC
WVZVTAIbDAAKCRDbqXksitKNxdgiD/9ysag6YrUKyRI79A4AciKkJIWnR7Ckjwe5
p2GCDoxXioLh723LQVsVUUtZ7Gz56Km6ukCBaH3w3dqxwau/DaWuUmiJdD4mFrLk
tFYBODg1VPeiYqX5+9oW2z/yF2mB5rscOXBlTDJAV9E3qIsU4w2yusiyWrcfsYLr
4dVaQYbot23GuTNShaeh2FqV6JNbb1FBND/9UcdCrsHzEFj3lNwKvFI1lP+jyqud
eNfsaX9X3O3BBbTOa+Bi8SdodLy2W4opAT9s6B/jMUx52OTkwjhT42GxCmnkvCUF
Z/jvYbANKFzU+7CGktAuyGw2N9g4AwTOtVK+J/5KWBf9YC4od2wT7pCHXjk7nN6+
9FnlHSFbP186XcuWcckjKUJ3fjViwNEsZJzJ1tUEFu4dg3dgw4v0YS2z6CSietnP
+qAIO4uUdjuxtRbr+6d0or+b38yi8BNtZMtei8y9h6goQsVQjdf2UC1LBPsMHbi3
8tmhWQIrfVkI6Cu/3yIk1CU0Gtgki0ouJw/VW8VWnCJqVZJWL4IbzSwVmx8MbzNy
E8xcoA4H3uVLcXtwuPaKNzP/WirCNdjUNHR489WoWICRcoQTcnwykAzTK/6H2agO
CwybFvUtfQ5g5gb9z9vdADwGA/MAdY+gWXaK8ZLfFuzncv/H2prm2WHOYWWKTZ7c
TpSQPjhyZQ==
=2Mci
-----END PGP PUBLIC KEY BLOCK-----