Security at Thrust CRM

Our Security Commitment

Security isn't an afterthought at Thrust CRM—it's built into every layer of our platform. We employ industry-leading practices to protect your data from unauthorized access, disclosure, or loss.

Infrastructure Security

Cloud Hosting (AWS)

• Location: UK and EU data centers only (London and Frankfurt regions)
• Certifications: ISO 27001, SOC 2 Type II, PCI DSS Level 1
• Redundancy: Multi-availability zone deployment for 99.9% uptime
• DDoS Protection: AWS Shield Standard and Advanced
• Network Security: VPC isolation, security groups, network ACLs

Database Security

• Encryption at Rest: AES-256 encryption for all stored data
• Encryption in Transit: TLS 1.2+ for all connections
• Automated Backups: Daily encrypted backups retained for 30 days
• Point-in-Time Recovery: Restore to any point in the last 7 days
• Geographic Replication: Cross-region backup replication

Application Security

Authentication & Access Control

• Multi-Factor Authentication (MFA): Optional 2FA via authenticator apps or SMS
• Password Requirements: Minimum 12 characters, complexity requirements
• Password Hashing: Bcrypt with per-user salts (cost factor 12)
• Session Management: Secure session tokens, automatic timeout after inactivity
• IP Whitelisting: Restrict account access by IP (Enterprise plan)
• Single Sign-On (SSO): SAML 2.0 integration (Enterprise plan)

Role-Based Access Controls (RBAC)

• Granular Permissions: Control access to features, data, and actions
• Principle of Least Privilege: Users only get necessary permissions
• Team Segregation: Multi-tenant isolation for agencies
• Audit Trails: Log all access and changes to sensitive data

Web Application Security

• OWASP Top 10 Protection: Defenses against common vulnerabilities
• CSRF Protection: Tokens on all state-changing requests
• XSS Prevention: Content Security Policy, input sanitization
• SQL Injection Protection: Parameterized queries, ORM
• Rate Limiting: Prevent brute force and DDoS attacks
• HTTPS Only: Strict Transport Security (HSTS) enforced

Data Protection

Encryption

• At Rest: AES-256 for database, file storage, backups
• In Transit: TLS 1.2+ for all API calls, web traffic, emails
• Payment Data: PCI DSS compliant via Stripe (we never store card numbers)
• API Keys: Encrypted when stored, transmitted via secure channels only

Data Segregation

• Tenant Isolation: Logical separation of customer data in database
• Row-Level Security: Database queries filtered by tenant ID
• No Cross-Contamination: Your data never exposed to other customers

Monitoring & Detection

24/7 Security Monitoring

• Intrusion Detection: Real-time alerts for suspicious activity
• Log Analysis: Centralized logging with automated analysis
• Anomaly Detection: Machine learning models flag unusual patterns
• Vulnerability Scanning: Automated scans for security holes
• Uptime Monitoring: External monitoring for availability

Incident Response

• Response Team: Dedicated security incident response team
• Response Time: Critical incidents addressed within 1 hour
• Communication: Affected customers notified promptly
• Post-Mortem: Root cause analysis and remediation

Third-Party Security

Vetted Sub-Processors

We only work with security-conscious third parties:

• Stripe: PCI DSS Level 1 certified payment processor
• AWS: SOC 2 Type II, ISO 27001 certified infrastructure
• Mailgun: SOC 2 Type II certified email delivery
• Twilio: SOC 2 Type II certified SMS/voice

Vendor Due Diligence

• Security questionnaires for all vendors
• Review of security certifications and audits
• Contractual security and privacy requirements
• Regular vendor security assessments

Compliance & Certifications

Security Testing

Regular Security Assessments

• Penetration Testing: Annual third-party pentests
• Vulnerability Scanning: Automated daily scans
• Code Reviews: Security-focused peer reviews on all code
• Dependency Scanning: Automated checks for vulnerable libraries
• Static Analysis: Automated code analysis for security issues

Bug Bounty Program

We welcome responsible disclosure of security vulnerabilities. Report issues to:

• Email: security@thrustcrm.com
• PGP Key: Download our PGP key
• Response: We'll acknowledge within 24 hours

Employee Security

Staff Training & Policies

• Background Checks: All employees undergo background screening
• Security Training: Annual security awareness training
• Access Reviews: Quarterly access audits
• Clean Desk Policy: No sensitive information left unattended
• Device Security: Encrypted laptops, MFA on all accounts
• Confidentiality Agreements: All staff sign NDAs

Data Access

• Customer data access is logged and audited
• Support staff only access data with your permission
• Engineers don't access production data unless debugging a reported issue
• All access follows principle of least privilege

Your Security Responsibilities

Security is a shared responsibility. You should:

• Use Strong Passwords: At least 12 characters, unique to Thrust CRM
• Enable MFA: Use two-factor authentication for your account
• Keep Credentials Secret: Never share passwords or API keys
• Review Access: Regularly audit team member permissions
• Report Suspicious Activity: Contact us immediately if you notice anything unusual
• Keep Software Updated: Use up-to-date browsers and devices
• Secure Your Data: Follow GDPR requirements for contacts you store

Security Best Practices

Contact Security Team

For security concerns, questions, or to report vulnerabilities:

• Email: security@thrustcrm.com
• Urgent Issues: +44 (0)20 XXXX XXXX (24/7 hotline for Enterprise customers)
• General Support: support@thrustcrm.com