Security Best Practices

Overview

Tenant Isolation

What It Means

• No cross-tenant data access
• Separate database namespaces
• Isolated API keys and credentials
• Independent billing and usage

How It Works

• Data is filtered by company_id at the database level
• API requests are scoped to your company
• Users can only access their company's resources
• Multi-tenant architecture ensures complete separation

Best Practices

• Never share API keys between companies
• Use separate credentials for each tenant
• Regularly audit user access
• Monitor for unauthorized access attempts

API Key Management

Creating API Keys

1. Go to Account → API Keys
2. Click Generate New Key
3. Give it a descriptive name
4. Set expiration date (recommended)
5. Copy and store securely (shown only once)

Securing API Keys

• Store keys in environment variables
• Use different keys for different environments
• Rotate keys regularly (every 90 days)
• Use read-only keys when possible
• Monitor key usage

• Commit keys to version control
• Share keys in chat or email
• Use production keys in development
• Leave keys in code comments
• Use the same key everywhere

Key Rotation

1. Generate new key
2. Update all applications using old key
3. Verify new key works
4. Revoke old key
5. Monitor for any issues

Password Security

Strong Passwords

• Minimum 12 characters
• Mix of uppercase, lowercase, numbers, symbols
• Avoid dictionary words
• Don't reuse passwords

Password Management

• Use a password manager
• Enable two-factor authentication (2FA)
• Change passwords regularly
• Never share passwords

Data Source Credentials

Secure Storage

• Credentials are encrypted at rest
• Never stored in plain text
• Encrypted using AES-256-GCM
• Separate encryption keys per tenant

Connection Security

• Use SSL/TLS for all database connections
• Verify SSL certificates
• Use connection strings with proper authentication
• Avoid storing credentials in code

Role-Based Access Control

Principle of Least Privilege

• Give users minimum access needed
• Review permissions regularly
• Remove access when roles change
• Audit access logs

Regular Audits

• Review user roles monthly
• Check for inactive accounts
• Verify permissions are correct
• Document access changes

Network Security

Firewall Rules

• Whitelist only necessary IPs
• Use VPN for admin access
• Restrict database access
• Monitor network traffic

API Security

• Use HTTPS for all API calls
• Implement rate limiting
• Validate all inputs
• Use authentication tokens

Data Privacy

Data Minimization

• Only collect data you need
• Delete unused data regularly
• Anonymize data when possible
• Respect user privacy

Compliance

• Follow GDPR guidelines
• Implement data retention policies
• Provide data export capabilities
• Allow data deletion requests

Monitoring & Logging

Security Monitoring

• Monitor failed login attempts
• Track API usage patterns
• Alert on suspicious activity
• Review access logs regularly

Audit Logs

• All actions are logged
• User activity tracking
• API call logging
• Data access logging

Incident Response

If You Suspect a Breach

1. Immediately: Revoke compromised credentials
2. Change: All passwords and API keys
3. Review: Access logs for unauthorized activity
4. Notify: Your team and Craveva support
5. Document: All actions taken

Prevention

• Regular security audits
• Employee training
• Keep software updated
• Monitor for vulnerabilities

Best Practices Checklist

• [ ] Use strong, unique passwords
• [ ] Enable 2FA where available
• [ ] Rotate API keys regularly
• [ ] Use SSL/TLS for all connections
• [ ] Implement role-based access
• [ ] Monitor access logs
• [ ] Keep credentials encrypted
• [ ] Regular security audits
• [ ] Train team on security
• [ ] Have incident response plan

Compliance

GDPR

• Right to access data
• Right to deletion
• Data portability
• Privacy by design

SOC 2

• Access controls
• Encryption
• Monitoring
• Incident response

Getting Help

• Use platform chat widget for questions
• Contact security team for concerns
• Report vulnerabilities responsibly
• Review security documentation regularly

Next Steps

• Review your current security setup
• Implement missing practices
• Train your team
• Schedule regular audits