Security

Cragfall takes a practical, risk-based approach to security to protect customer data, maintain service availability, and support compliance obligations. This page explains our controls, practices, and how we treat data used by our product features (including our SaaS discount discovery tools).

Scope & data types

This policy covers data collected through our website and services including: account and contact data, billing and payment metadata (processed by payment providers), Customer Data (data customers upload or connect to Cragfall), telemetry and usage logs, integration tokens and API keys, and aggregated/derived data used for analytics and recommendations (for example, identifying potential SaaS discounts).

Data collection & processing

We collect data you provide directly and data generated by interactions with the service (logs, feature usage, errors). For integrations (e.g., billing connectors) we may process subscription and invoice metadata to analyze spend and surface discount opportunities — this processing is performed only to deliver the service and under the contractual terms in our DPA. We treat Customer Data as controlled by the customer and do not use it for unrelated commercial purposes.

Cookies, tracking & analytics

We use cookies, local storage, pixels, and similar technologies for essential site functionality, analytics, and product performance monitoring. Analytics data is collected to improve product quality, measure feature adoption, and support security monitoring.

Third parties & subprocessors

We engage trusted service providers for hosting, payments, email delivery, analytics, and other services. These subprocessors only process data on our behalf and under contractual obligations that limit their use of the data and require appropriate safeguards. A current list of subprocessors is available upon request by contacting privacy@cragfall.com.

Security controls

  • Encryption: TLS for data in transit and industry-standard encryption for sensitive data at rest, including secrets and tokens where supported by our infrastructure.
  • Access controls: Role-based access, least privilege, and MFA for administrative access.
  • Secrets management: API keys and integration tokens are stored encrypted and access is audited.
  • Monitoring & logging: Centralized logs and alerts for anomalous activity, with retention and review procedures.
  • Vulnerability management: Regular dependency scanning, scheduled patching, and periodic penetration testing or third-party assessments.
  • Development practices: Secure coding standards, code reviews, and automated CI checks to prevent regressions and vulnerabilities.

Incident response & breach notification

We maintain an incident response plan to detect, investigate, contain and remediate security incidents. If a breach affecting personal data occurs, we will promptly assess impact and notify affected parties and regulators as required by law. Report suspected incidents to security@cragfall.com.

Retention, deletion & backups

We retain data only as long as needed for service delivery, legal compliance, or legitimate business purposes. Backups are encrypted and retention schedules are enforced. Customers can request deletion of account and Customer Data; deletion requests are subject to verification and applicable retention obligations.

Data transfers

Cragfall is an international service and may transfer data across borders. For transfers from the EEA, UK, or other jurisdictions with transfer restrictions, we use appropriate safeguards such as standard contractual clauses or other lawful mechanisms. Contact us for details or to request contractual protections.

Special note — SaaS discount discovery

Our discount discovery features analyze subscription and billing metadata (not raw payment card data) to identify savings opportunities. These analyses are performed either on anonymized/aggregated data or on Customer Data under the customer’s instruction. We do not sell or share individual customer subscription data for advertising; aggregated insights may be used internally to improve product recommendations.

Data subject rights & compliance

For information on data subject rights (access, correction, deletion, portability) and how we support legal frameworks such as GDPR, CCPA/CPRA, and PIPEDA, see our Privacy Policy and Compliance & Privacy page. To exercise rights, contact privacy@cragfall.com.

Questions & contact

For security inquiries, DPA or subprocessor questions, or to request a security assessment, email security@cragfall.com or privacy@cragfall.com.