At Crestline Intelligence Private Limited ('Crestline', 'we', 'our', or 'us'), the security, confidentiality, and integrity of customer data is a fundamental priority. This Security Policy outlines the principles, controls, and practices we implement to protect user information and ensure our systems remain resilient against emerging cyber threats.

1. Organizational Commitment

Crestline maintains a comprehensive, organization-wide security program that is aligned with global standards, including ISO/IEC 27001, NIST Cybersecurity Framework, and applicable regional regulatory requirements (such as GDPR, CCPA, and DPDP India). Security governance is overseen by a dedicated internal team and embedded within all development and operational practices.

2. Data Protection and Encryption

All sensitive data—whether in transit or at rest—is encrypted using industry-standard protocols: • Transport Layer Security (TLS 1.2 or higher) is enforced for all data transmissions. • AES-256 encryption is used for storing credentials, financial data, and any personally identifiable information (PII). • API calls and third-party integrations are securely authenticated and monitored. • Crestline never stores plaintext passwords or unencrypted sensitive content.

3. Access Control

We implement robust identity and access management (IAM) controls: • Role-based access control (RBAC) ensures that employees, clients, and systems only access resources necessary for their roles. • All privileged actions are logged and monitored in real time. • Multi-factor authentication (MFA) is required for all internal administrative interfaces. • Session management protocols ensure idle sessions are automatically terminated.

4. Infrastructure and Network Security

Our infrastructure is hosted on globally trusted cloud providers with physical data center security, redundancy, and continuous monitoring. We implement: • Network segmentation and firewall enforcement. • DDoS protection, rate limiting, and traffic anomaly detection. • Vulnerability scanning, penetration testing, and automated patching of known CVEs.

5. Software Development and Code Security

All software deployed by Crestline follows a Secure Software Development Lifecycle (SSDLC) that includes: • Source code reviews and threat modeling. • Static and dynamic application security testing (SAST/DAST). • Dependency checks for open-source libraries. • Staging and production environment isolation.

6. Monitoring and Incident Response

Crestline employs 24/7 monitoring of all production systems and uses centralized logging to identify anomalies and performance risks in real time. In the event of a security incident: • We follow a documented Incident Response Plan (IRP) with defined roles, escalation protocols, and forensic procedures. • Users affected by any confirmed breach will be informed in a timely, transparent manner, in accordance with applicable data protection laws.

7. Employee Access and Training

All personnel are background-verified, sign strict confidentiality agreements, and undergo regular security training. Internal access to systems is granted only on a need-to-know basis, with audits conducted periodically.

8. Payment Security

Crestline does not store raw card information. All payment processing is handled through PCI DSS-compliant payment gateways. Credit usage summaries are available to users, and auto-pay systems operate under user-authorized, prepaid structures with full transparency.

9. Third-Party Vendor Security

All third-party vendors undergo rigorous due diligence, and data shared with them is strictly limited to the service scope. Contracts require adherence to equivalent security standards and include audit and breach notification clauses.

10. Policy Updates

This policy is reviewed regularly and updated in line with evolving regulatory standards, technological advancements, and organizational growth. Users will be notified of material changes through official communication channels.