At SMBcrm, we prioritize data security, system integrity, and service continuity for all our customers. Our mission is to create a secure environment that supports your business operations, allowing you to focus on growth without compromising safety. We have built our infrastructure and processes on industry best practices, ensuring high availability, strong data protection, and compliance with international standards. This document provides an overview of our security controls and the measures we take to maintain a secure, reliable, and compliant platform.
Our security framework focuses on:
1. Customer Trust and Data Protection: Implementing security controls to protect the privacy and confidentiality of all data.
2. Service Availability and Continuity: Ensuring minimal risk to service availability with disaster recovery planning.
3. Data Integrity: Preventing unauthorized alterations to information.
4. Regulatory Compliance: Meeting or exceeding industry standards such as GDPR and CCPA.
SMBcrm utilizes multiple layers of administrative, technical, and physical security controls to protect customer data. Below are the key components of our security framework:
SMBcrm hosts its product infrastructure with world-leading providers, including Google Cloud and Amazon Web Services (AWS). Our product infrastructure is primarily hosted in the United States and is designed with built-in redundancy and high availability to ensure continuous uptime and optimal performance.
•Google Cloud Platform (GCP): Google Cloud provides a highly reliable hosting environment with a minimum of 99.5% uptime, supported by advanced data encryption and security controls. Google’s infrastructure is protected by multiple layers of physical and logical security, including robust access controls, environmental monitoring, and proactive threat detection. GCP’s compliance programs include ISO 27001, SOC 2 Type II, and ISO 22301, ensuring that the infrastructure meets strict international standards.
•Amazon Web Services (AWS): AWS offers industry-leading infrastructure services with a service reliability guarantee ranging from 99.95% to 100%. AWS’s infrastructure includes automated failover, data replication, and built-in disaster recovery plans that are regularly tested and independently validated. With SOC 2 Type II, ISO 27001, and PCI-DSS certifications, AWS ensures that its infrastructure meets the highest levels of data security, availability, and compliance. AWS’s data centers also utilize advanced fire suppression systems, redundant power sources, and restricted physical access to protect against outages or environmental disruptions.
Our reliance on GCP and AWS provides enhanced security for our systems, and we actively monitor their compliance with global security and privacy standards.
SMBcrm enforces strict network controls across all layers of our infrastructure. Multiple layers of firewalls and network access control lists (ACLs) are in place to prevent unauthorized connections to our internal product infrastructure. Changes to network configurations are rigorously managed through a standardized change control process. Firewall rules are regularly reviewed to ensure that only necessary and authorized connections are allowed.
Our infrastructure is managed using automated configuration tools, ensuring consistent baselines across all systems. Server configurations are tracked and updated through a controlled pipeline, with deviations quickly corrected. This process includes automated patch management and regular compliance checks to maintain system integrity.
We maintain comprehensive logging and monitoring of all critical systems and user actions. Logs are securely stored and indexed, and only a small subset of engineers has write access to these storage systems. Automated monitoring tools track error rates, abuse scenarios, and security events, triggering alerts for prompt investigation and resolution. In many cases, our systems are designed to respond automatically to suspicious activities, such as throttling traffic or isolating impacted systems.
Our web application is protected by multi-layered defenses that include firewalls, intrusion detection systems, and DDoS protection. We regularly conduct vulnerability scans, dynamic application testing, and code reviews to identify and mitigate risks. Our application security practices adhere to guidelines from the Open Web Application Security Project (OWASP), helping protect against common threats like SQL injection, cross-site scripting (XSS), and other attacks.
•Encryption: All data is encrypted in transit using TLS 1.2 or higher. At rest, data is stored using AES-256 encryption, ensuring robust protection for sensitive information. Passwords are hashed following industry best practices and never stored in plain text.
•Tenant Separation: Customer data is logically separated using unique identifiers, preventing unauthorized access between tenants. Access rules are continuously validated, ensuring strict isolation of data.
We are committed to minimizing system downtime through strategic infrastructure design. All services are distributed across multiple availability zones, and critical components have failover protection. Our disaster recovery plan is tested regularly to validate our ability to recover from potential incidents quickly.
•Data Backup Strategy: We perform daily backups and retain data for up to seven days. Backups are encrypted and stored in secure locations, with access tightly controlled. Automated monitoring alerts us to any backup issues, ensuring rapid resolution.
SMBcrm uses a robust role-based access control (RBAC) model, ensuring that employees and customers only have access to the resources they need. Multi-factor authentication (MFA) is enforced for all user accounts, and user roles can be customized for granular permissions.
•Background Checks: All employees undergo background checks prior to employment to verify their trustworthiness and suitability for handling sensitive information.
•Security Training: Employees receive regular training on security best practices, including how to identify and prevent phishing attempts and other social engineering threats.
•Role-Based Access: Access to sensitive systems is limited to those with a legitimate business need, and permissions are reviewed semi-annually.
SMBcrm adheres to the strictest data privacy regulations, including GDPR and CCPA. Our compliance team works closely with our engineering and product teams to maintain ongoing adherence to these standards.
•Privacy and Data Retention: Customer data is retained according to our data retention policy. Customers can request data deletions in compliance with applicable regulations.
•Breach Response: In the event of a data breach, we have established procedures to promptly notify affected customers and mitigate the impact.
For more information or questions about our security and compliance practices, please reach out to support@smbcrm.com.