Enterprise Technology Platform

The platform every digital business
runs on.

One enterprise platform beneath every business we partner with — APIs, payments, data, operations, all built, operated, and evolved by one team. Aligned to your revenue, not seats.

100M+
users processed
99.99%
platform uptime
1B+
monthly operations
Your stack today 50+ tools
Custom platform AWS / GCP Stripe Cloudflare Salesforce HubSpot Mailchimp Auth0 Okta Zendesk Intercom Slack Segment Snowflake BigQuery Mixpanel Looker Datadog Sentry PagerDuty Twilio Sendgrid Notion Jira GitHub Braze Legacy code + more
On CRAE 1 partner
CRAE
You run the business. We run the platform.
One platform One team Aligned model
The hidden cost

What running it
yourself actually looks like.

Most digital businesses end up running on a patchwork of platforms, custom code, and teams stretched across every vendor in the stack. Scroll through what that really means — and what we replace it with.

Scroll to see
01The backbone

A custom platform you'll spend your career maintaining.

Your engineering team built the backbone from scratch — or inherited a legacy monolith. Either way, 60% of their time goes to infrastructure instead of product. Every new feature fights the existing code.

Custom platform Legacy monolith AWS / GCP PostgreSQL Redis Docker / K8s + more
Thousands of engineering hours, every year
Just keeping the lights on.
02Payments, auth & verification

A different provider for every region. Zero single source of truth.

A separate provider for cards, another for Europe, a vendor for login, another for verification. Every provider has its own format, its own fees, its own failure modes. Reconciliation takes a team of its own.

Stripe Adyen PayPal Worldpay Auth0 Sumsub Onfido Reconciliation code + more
💸
Significant integration overhead, every year
Not counting chargeback chaos.
03Data, CRM & analytics

Multiple tools for "the same data." None of them agree.

Your CRM has one version of your customer. Your marketing tool has another. Events get piped between platforms, but the revenue column doesn't match the warehouse. Every report needs a small team to reconcile.

Salesforce HubSpot Segment Mixpanel Snowflake dbt Looker Data engineers + more
🗂
No single source of truth
Every decision starts with "which number is right?"
04Communications & support

Hiring support is its own full-time job.

Tickets here. Chat there. SMS gateways. Email pipelines. Twenty-four-hour coverage means rotating shifts, multilingual teams, constant attrition. Your head of support spends more time recruiting than on customer outcomes.

Zendesk Intercom Twilio Sendgrid Mailchimp 24/7 hiring Agent turnover + more
👥
A support operation to run in parallel
Teams to hire, train, retain, replace.
05Operations & monitoring

The 3am page nobody signed up for.

Datadog catches the metric. Sentry shows the error. PagerDuty wakes someone up. Your senior engineers are tired of being the only ones who can fix it. One by one, they leave. The institutional knowledge walks out the door with them.

Datadog Sentry PagerDuty Grafana On-call rotation 3am pages Engineer churn + more
🔥
Senior engineer churn
The people you can least afford to lose.
Now imagine none of that

One platform. One team.
One partner, built for the long run.

We replace the entire backbone — APIs, payments, data, operations, support — built, operated, and evolved by our team on one unified platform. Your team focuses on what only you can do: build the product and grow the business.

Product engine
The backbone, APIs and logic your customers run on.
Payments
Multi-provider routing, reconciled in one ledger.
Data & CRM
One source of truth for every customer record.
Support & ops
Our team carries the pager. 24/7, worldwide.
Analytics
Live revenue, retention, cohorts. No reconciliation.
Workflows
Automation, approvals, escalations — handled.
1 platform 1 team Aligned model
// Built on the stack your security team already knows

Integrated where it matters.

We don't reinvent infrastructure that's already great. The platform runs on tier-1 components from providers your auditors already recognise — so sub-processor reviews and procurement diligence are short conversations, not multi-week ones.

AWS Cloudflare Kubernetes Docker Terraform Vault PostgreSQL Redis Kafka ClickHouse Stripe Adyen Grafana GitHub Linear TypeScript

Tier-1 components only · Every sub-processor is named in the DPA ·

// What we build & run

The engine your
product runs on.

One platform, one team, one partner for the whole stack — APIs, data, payments, operations, and support.

Product engine
APIs, logic, data — the backbone your customers run on.
Payments
Multi-provider routing, reconciled in one ledger.
Data & CRM
One source of truth for every customer record.
Operations
Workflows, approvals, 24/7 support — run by our team.
// Production numbers

The scale we actually run.

Live figures from the infrastructure we operate for our partners. These are the numbers production runs at — not marketing, not maximums, just what the system does every month.

0M+
USERS · LIFETIME
Unique identities processed since 2018
0B+
EVENTS · MONTHLY
Across all platform modules
0%
UPTIME · 12mo SLA
Externally measured, contractually guaranteed
0+
YEARS · IN PRODUCTION
Running live infrastructure since 2018
// Ready when you are

Let's build the engine
your product deserves.

Scaling operations, replacing a legacy stack, or launching a new product line — if the scale is there, we'll build the backbone and run it alongside you. Enterprise licensing, long-term partnerships.

We build the
engine your product runs on.

The APIs, logic, data and payments your customers actually use — we build, run, and evolve everything underneath. Your team ships the brand, the experience, and the go-to-market. Our team runs production alongside yours.

what we run for you
DATA & CRM
Every customer, unified.
One source of truth for users, activity, and lifecycle.
PAYMENTS
Routed, retried, reconciled.
Orchestration across your PSPs — not a payment provider ourselves.
OPERATIONS
Run by real people.
Workflows, approvals, escalations, and 24/7 support.
GROWTH
Aligned with yours.
When your revenue grows, ours grows. That's the model.
// 01 · What we bring

A production stack, not a toolset.

When you partner with us, you are not buying software. You are inheriting a running product engine — the backbone every API, payment, and customer touchpoint is already built on. We build the backend: APIs, logic, data, payments, auth. Plus everything around it — CRM, operations, analytics, and support.

00 · The backbone

The product engine your customers actually run on.

This is the core of what we build. Every API, every piece of business logic, every bit of data state and session your product depends on — the engine beneath your brand. You build the experience on top. We build, run, and evolve everything underneath.

  • Plug-and-play backbone for verticals we know cold
  • Fully custom engineering where the scale supports it
  • Your product, your brand — our engine under the hood
Your layer · the brand on top
Your brand Your UI / UX Your go-to-market
powered by
Our platform · the business itself
01 Product backbone APIs your users hit, every second
02 Payments orchestration Multi-PSP routing, retries, reconciliation — one ledger
03 Customer data & CRM One record. Every touchpoint.
04 Identity & KYC Signup to verified in seconds
05 Support & operations Our team runs it, 24/7
06 Analytics & decisions Live revenue, retention, cohorts
01

Customer data & records

The operational heart of your business. Every customer, every action, every outcome — unified in one place, ready for your team to use from day one.

SM
Sarah M. Pro
Member since Mar 2023
Lifetime value €42,180
Activity · 30d High · 47 sessions
Status Active
Attribution Direct · Organic
02

Analytics & insights

The numbers your business runs on. Revenue, retention, conversion, cohort performance — live, accurate, and available the moment you need to make a call.

events.processed · 24h live
03

Workflow & processing

How your business runs day-to-day. Order handling, approvals, customer escalations, and exception workflows — structured, auditable, and faster than the process you run today.

04

Intelligent automation

The machine-learned edge. Churn prediction, fraud detection, personalized triggers, retention playbooks — running on your data automatically, so your team can focus on growth.

05

Payments orchestration

We don't process payments — we orchestrate them. Your PCI-certified PSPs do the regulated work; we sit in front, route dynamically, retry on failure, and reconcile every provider against one internal ledger — so you convert more, charge back less, and always know where the money is.

06

Always-on reliability

The one part most businesses underestimate. 24/7 operations, proactive monitoring, and an engineering team on call — so incidents are caught and resolved before your customers notice them.

platform uptime · last 90d 99.99%
90 days ago today
< 4 min median response
24/7 on-call coverage
0 critical incidents · 30d
07

Operational visibility

Total visibility across the operation. Business health, customer behavior, revenue flows, and platform status — all in one place, for your team and ours.

Business overview Live
Revenue · today €847,210 ↑ 12.4%
Active users · now 14,208 ↑ 8.1%
Payment success 98.6% nominal
Support queue 3 tickets on track
// 02 · Who we work with

Operators with real scale.

We work with SaaS, fintech, marketplaces, consumer platforms, and digital products generating meaningful revenue. Plug-and-play for the verticals we know cold — custom-built for the ones we don't, provided the scale is there to support it.

01

Consumer platforms at scale

High-volume consumer businesses where payments, retention, and support have to work perfectly, every day. The most battle-tested environment we run — every piece of the stack is already live in production.

02

Fintech and payment businesses

Identity, screening, multi-provider routing, reconciliation, and fraud tooling — the operational infrastructure behind payments, financial services, and transaction-heavy platforms.

03

SaaS, marketplaces and digital products

Subscription logic, marketplace mechanics, user lifecycle, retention, analytics — the operational core of any digital business that lives or dies on execution.

// 03 · Commercial model

Built for enterprise operators.

A flat enterprise licence — no seat tiers, no usage drip, no consumption surprises. We work with a small number of operators at scale, and our commercial focus is simple: deliver the best technology and operational support possible to each one.

01

Predictable enterprise licensing

A steady, transparent licence fee that scales with the platform footprint, not your transaction volume. You get budget certainty; we get the freedom to invest in the technology rather than chasing usage metrics.

02

Selective by design

We work with enterprise-grade operators only. No low-ticket, high-churn clients dividing our attention. The result is a small, focused client base — and a platform team that goes deep on each engagement.

03

Tech-quality first

Our incentive isn't to upsell modules or drive consumption — it's to keep delivering the best infrastructure our partners can run on. Long-term licences mean we win when the platform stays the best in its category.

// Get started

Does this sound like a fit?

The commercial model isn't for everyone. But if you're running at meaningful scale and want a partner who actually operates the platform with you — let's talk.

Six years building the
infrastructure operators run on.

CRAE GROUP LTD operates the product backbone for digital businesses end-to-end. One team covers engineering, payments, data, and operations under enterprise licences with a select group of operators at scale. Founded in Cyprus in 2018, the company grew out of running marketing and CRM operations at production scale — and building the infrastructure those operations had to run on. Today that platform is the business.

See open roles
ESTABLISHED 2018 Limassol · Cyprus
100M+ Users served
99.99% Uptime · 12 mo
1B+ Monthly events

How we work.

Our operating model grew out of seven years of running production. These aren't preferences — they're what we've found actually delivers at scale.

01

Long-term engagements

Multi-year partnerships, not transactional projects. We take time to understand the business, build conviction in the partnership, and stay through the cycles. The engagements that work are the ones where we're still there five years later.

02

Enterprise licensing

A flat enterprise licence — no seat tiers, no usage drip, no consumption surprises. Predictable commercials free us to invest in the technology and the partnership instead of chasing transaction metrics.

03

One integrated team

Engineering, payments, data, operations, and support — all under one roof, all accountable to the same outcome. You engage CRAE, not a stack of specialists with competing incentives. When something breaks, one team owns fixing it.

04

Production-first

We ship to live users, not to slide decks. Decisions get resolved in code, in production, under real load. The people who write the system also carry the pager — which is why we have opinions about what "done" means.

Who we hire.

We hire operators who ship without cutting corners. People with deep ownership of what they build, an eye for quality across the whole flow, and the ambition to be part of something that outlasts the quarter. Engineers, payments leads, support managers, finance, commercial — all builders who want to make something they'll still be proud of in five years.

01
Quality, end to end
Respect the whole flow — from the first line of code to the live production edge. Efficient, deliberate, and uncompromising on what reaches the user.
02
Own the outcome
When you build it, you run it. When it breaks, you fix it. When it works, you improve it. No handoffs, no diffusion.
03
Built for scale
Production experience with real users, real revenue, real stakes. You know what breaks at 1M users and how to prevent it.
04
Build for the long run
You want to go deep on one business, not collect company logos. Compounding craft beats a portfolio of shallow wins.
05
Direct communicators
Say the hard thing early. Disagree and commit. Escalate when it matters. No politics, no passive-aggression.
06
Ambitious about the work
You want to build something extraordinary. Not a bigger title, a better bio, or more LinkedIn followers — a product you'll point at in a decade.
Currently hiring across engineering, payments, support, and commercial.
Roles are based in Limassol or remote-EU, depending on function.
View open roles

Let's talk.

Tell us about your business — what you run, the scale you're at, and where infrastructure is getting in the way. We'll respond within 24 hours. If what you're doing isn't a fit for the model, we'll tell you that too.

By submitting, you acknowledge this message is processed under our terms.
// general
General enquiries
Platform, partnerships, press.
contact@craegroup.com →
// hiring
Careers
Open roles and hiring enquiries.
jobs@craegroup.com →
// finance
Billing
Invoices and payment enquiries.
invoices@craegroup.com →

How we take over
your product engine.

A short technical read for the CTO. How we come in, mirror your stack, shift traffic across the edge, and end up running everything end-to-end — no maintenance window, no customer impact.

takeover.log · live
14:02:17discoverevent tap online · 47 services mapped
14:02:19discoverrollout plan ranked by blast radius
14:02:21mirrorCDC connected · debezium streams up
14:02:23mirrorhistorical replay → parity with live
14:02:25mirrordiff harness: 0 drift events
14:02:28shiftcanary 1% → CRAE (SLO )
14:02:31shiftcanary 10% → CRAE (SLO )
14:02:34shiftcanary 50% → CRAE (SLO )
14:02:37shiftcanary 100% → CRAE (SLO )
14:02:40operatelegacy → hot-spare
14:02:42operateCRAE = sole runtime
Cutover
100%
// 01 · How we take over

From your stack to ours, live.

The product engine is the part of your business that runs on code — APIs, data model, billing logic, background workers, the tools your operators use every day. When we take it over, CRAE owns the code, the uptime, the data, and what gets built next. Four steps. Reversible until the last one. No maintenance window.

01 Discover

Read-only access to your repos, infrastructure, observability, and warehouse. We deploy a passive event tap and map the system from live traffic — what calls what, how often, with what shape. You get back a service graph and a rollout plan ranked by blast radius. Nothing in production changes.

Read-only access, passive event tap
Typed contracts extracted from live traffic
Service graph + load heatmap per subsystem
Rollout plan ranked by blast radius
02 Mirror

CRAE stands up in your region, peered into your network. Every write into your existing system mirrors into our event log via CDC. We rebuild your state in our world from the live stream plus a historical replay. Reads are still served by the legacy stack; our derivations get diffed against yours continuously. Disagreements become alerts on our side, not failures on yours.

CDC dual-write (Debezium / outbox / sidecar)
Append-only event log, deterministic IDs
Historical replay to parity with live
Continuous diff; drift surfaces as alerts
03 Shift

A routing layer at the edge — your gateway, a CDN worker, whatever fits — moves traffic across per endpoint and per tenant. Small canary percentages first; promotion happens automatically once latency, errors, and business invariants all hold. Rollback uses the same lever as rollout: a routing change, not a deploy. We cut over subsystem by subsystem — sessions, then payments, then notifications, then reporting. Never big-bang.

Per-tenant percentage routing at the edge
SLO + business-invariant gated promotion
Rollback = routing change, not redeploy
Cutover per subsystem, never big-bang
04 Operate

Legacy is kept hot-spare until reconciliation runs clean for a defined window, then decommissioned on a written runway. Our engineers have been on the pager since the first canary, so on-call ownership moved with the traffic. From here we own the runtime — incidents, changes, releases, capacity. Your CTO talks to ours.

Hot-spare legacy until reconciliation holds
Decommission on a documented runway
On-call ownership moves with the traffic
CTO-to-CTO review against shared dashboards
// 02 · The runtime, once we're it

Six patterns the platform leans on daily.

Once the takeover is complete, what you're paying for is the runtime — the architectural choices behind every request, every transaction, and every 3 a.m. page. Six of the ones that matter most. Specifics live with the partners they apply to.

01 · Financial state

An append-only ledger in front of every PSP.

Routing across multiple payment providers is the easy part. Reconciling what each of them did into one trusted view of financial state is the part that quietly costs operators engineers and credibility.

We don't move money — the regulated PSPs do — but every event they emit lands in one internal reconciliation ledger on our side. Each authorisation, capture, refund, settlement and fee row arrives as a typed double-entry against one canonical transaction ID, no matter which provider produced it. Idempotency keys propagate from edge to database, so retries are safe at every hop. Provider statements reconcile against our ledger via scheduled CDC jobs — not the other way round — so unmatched lines surface as alerts within minutes and disputes have a defensible, replayable answer.

Append-only reconciliation ledger in front of every PSP
Monotonic txn_id, typed double-entry per state transition
End-to-end idempotency keys; safe to retry at every hop
Provider statements reconciled against the ledger, not the reverse
Drift surfaces as a paging alert, not silent eventual consistency
02 · Identity

Why our session layer isn't a vendor.

Buying a hosted auth platform looks like an easy win until you need every session event in your own data plane in real time, with no extra hop to an external API on the critical path.

We own the session boundary. Short-lived signed access tokens are issued at the edge with rotating kids; an opaque server-side session reference is the actual unit of trust, so revocation is instant across the fleet. Device and behavioural signal flow into an in-process feature store, so risk decisions run inline with the request rather than via a vendor round-trip. Third parties (document review, sanctions, behavioural scoring) sit off the hot path, called asynchronously and reconciled back through the same event log everything else feeds.

Edge-issued signed JWTs with rotating kid, short TTL
Opaque server-side session refs — revocation is instant
Device & behaviour signal in an in-process feature store
Vendor calls async only, reconciled via the event log
Risk decisions inline with the request, no round-trip
03 · Data

An event log as the system of record.

Most "real-time" pipelines are batches with shorter intervals. We treat events as the system of record. Every other table — operational, warehouse, dashboards — is a derivation of it.

Producers write to one append-only event log. Stream processors derive the operational views (customer state, balances, session tables, fraud features); analytical views land in the warehouse via the same log, not a parallel ETL. Schemas are versioned and validated at write time; forward-compatible evolution is enforced in CI through a contract test against every registered consumer, so no producer ships a breaking change without it being a typed error in someone else's build. "Where did this number come from?" always has exactly one answer.

Single append-only log, exactly-once via consumer dedup tables
Protobuf schemas in a registry, FORWARD_COMPATIBLE enforced
Consumer contract tests run on every producer PR
Warehouse fed from the same log — no parallel ETL
Operational and analytical views derived from one source
04 · Operations

Carrying the pager without burning the team.

The reason most teams can't sustain round-the-clock operations is structural, not cultural. The on-call rotation is downstream of the system design. Fix the design and the rotation stops eating senior engineers.

Every alert is bound by ID to a runbook entry in version control; every runbook step is either automated or annotated with the reason it isn't. The on-call engineer's job is to confirm the automation made the right call, not to remember what to do at 3 a.m. Pages that fire more than twice without action become a backlog item, not a habit. The people who wrote the code carry the pager for it — no separate ops team, no outsourced NOC. If something pages you tonight, you own the fix tomorrow.

Runbooks-as-code, alert IDs bound to runbook steps
Auto-remediation gated on confidence, human confirms
Noisy alerts are deleted quarterly, not muted
Authors own the pager — no separate ops layer
SLOs drive on-call workload, not the other way round
05 · Vendor abstraction

One adapter interface in front of every third party.

External vendors — verification, screening, communications, fraud signal — each come with their own format, cadence, and definition of "done". Wire them straight into the product surface and you end up rewriting flows every time a contract changes.

A thin normalisation layer sits between the product and the vendor estate. Every external check implements the same adapter interface and resolves to a typed status (pending, passed, failed, needs_review). A circuit breaker per vendor with hedged requests handles flakiness without escalating to the user. New vendors are shadow-evaluated against live traffic for weeks before any percentage is routed to them. Compliance gets one audit trail, legal gets one place to express jurisdiction rules, and commercial renegotiations stop being existential.

Single adapter interface, typed uniform status surface
Per-vendor circuit breaker with hedged requests
Shadow evaluation against live traffic before routing
Swap = routing config change, no product PR
One audit trail, one place for jurisdiction rules
06 · Cost of ownership

The reconciliation tax most stacks pay forever.

Every "best-of-breed tool" added to the stack carries a quiet headcount cost whose only job is to make the numbers line up between systems. Nobody hires for it on day one. By year three it's one of the larger line items in operations — split across data, finance, and platform engineering so no single budget owner ever sees the whole bill.

A unified backbone collapses the tax because there's nothing to reconcile in the first place. The same canonical event drives the customer record, the ledger, the warehouse row, and the operator dashboard. CRM, billing, product DB and BI are derivations of one log, not independent systems that have to be argued into agreement at month end. Engineering hours that used to be spent making systems agree get spent on the product instead — and that recovered capacity is the single largest hidden return we see when we replace a partner's legacy stack.

CRM, ledger, warehouse, dashboards = derivations of one log
No month-end reconciliation between internal systems
External (PSP) statements still reconcile, but against the ledger
FTE tax distributed across teams collapses to zero on-platform
Engineering capacity returns to the product, not to glue code
// Want a deeper look?

We answer engineering
questions, in writing.

If you're evaluating us for a real workload, we'll happily walk your engineering team through the architecture, the ledger model, the deployment topology — whatever moves the decision forward. Direct contact with the people who built it, not a sales engineer.

// Security & trust

The posture
behind the platform.

If you're handing CRAE the backbone, you're handing us the obligations that come with it. A short summary of how we're set up — controls, residency, sub-processors, incident response — and where the platform is engineered to carry your own certifications when the time comes. Detailed documentation is shared with onboarded partners only.

security@craegroup.com
// 01 · Frameworks & controls

Aligned to the standards that matter.

Two things we hold directly: PCI-DSS coverage through our certified payment partners, and GDPR as data processor under EU law. Everything else is platform-side readiness — the controls are in place so a partner can pursue their own attestations with us as the technical foundation, and we'll spearhead the application work alongside their compliance team.

PCI-DSS Held · via certified PSPs

Cardholder data, out of scope by design.

We do not store, process, or transmit primary account numbers in our platform. Cardholder data is handled exclusively by PCI-DSS Level 1 certified payment partners through tokenised flows — our systems only ever see vendor tokens and the last-four metadata required to reconcile a transaction. The PCI obligation sits where the regulator wants it: with the certified processor.

GDPR · EU Held · DPO appointed

Data protection under Cyprus & EU law.

CRAE GROUP LTD is established in Cyprus (HE 391918) and operates as a data processor under enterprise DPAs with every partner. A DPO is appointed and reachable directly at privacy@craegroup.com. Subject access, deletion, portability, and breach notification procedures are all documented and SLA-bound in the partner agreement.

ISO 27001 · SOC 2 Platform-ready · client-led

Engineered to carry your certification, not ours.

The platform's controls — access management, change control, monitoring, supplier risk, incident response — are designed against the same control sets these frameworks require. Certification itself is a question for the operating company, not the technology backbone. When a partner pursues their own attestation, we contribute the technical evidence and spearhead the application work alongside their compliance team.

Documentation Onboarded partners only

Detailed disclosures, behind the partnership line.

Architecture diagrams, control evidence, sub-processor lists, the DPA, BCP/DR summaries and the full product library are made available once a partnership is on contract. This is an IP-protection measure, not a transparency one — the controls themselves are summarised here in full.

// 02 · Data residency & cryptography

EU-only data plane. No exceptions.

Customer data lives in EU-resident infrastructure, encrypted in transit and at rest, with keys we control. We don't move data outside the EU for processing convenience.

01

EU residency

Primary region in Frankfurt (eu-central). Operational headquarters in Limassol (CY). Backups replicated within the EU. No personal data leaves the EU at rest or in processing — including support, analytics, and observability tooling.

02

Encryption in transit

TLS 1.3 enforced on all external endpoints. Strict cipher policy, HSTS preloaded. Internal service-to-service traffic uses mutual TLS with short-lived certificates issued by an internal CA, rotated automatically.

03

Encryption at rest

AES-256 at the volume layer for every datastore. Application-layer envelope encryption for sensitive fields (KYC documents, payment metadata, agent notes). Keys managed in a dedicated KMS with hardware-backed roots, rotation and access logged.

// 03 · Operational security

How we run the platform daily.

The boring controls. Access, monitoring, change management, vulnerability response. These are the ones that matter in an incident.

Access

Least-privilege by default

SSO with hardware-key MFA mandatory for all employees. Production access is just-in-time, time-boxed, and reviewed against a documented business reason. All privileged actions are logged to an append-only audit store separate from production. Quarterly access reviews against the principle of least privilege.

Change

Every change is reviewed and traceable

All code goes through peer review and CI before merge. Infrastructure is described as code; nothing reaches production by hand. Every deployment is reversible within minutes via the same pipeline that shipped it. Schema changes are gated by automated migration tests against production-shaped data.

Monitoring

24/7 detection & response

Continuous monitoring of authentication, privileged actions, network egress, and anomalous data access. On-call engineers paged on signal, not noise. Median acknowledgement under four minutes, around the clock. Engineering, not a separate SOC, owns the response — the people who built it are the people who fix it.

Vulnerabilities

Patch fast, test honestly

Dependency scanning on every build, SCA gating in CI, and an internal SLA on CVE remediation: critical within 24 hours, high within 7 days. Annual third-party penetration test against the production platform; remediation tracked publicly to our partners. Coordinated disclosure programme open to researchers.

// 04 · Sub-processors

Who we trust with what.

The full sub-processor list is provided as part of the DPA. The categories below cover the substantive ones. We give 30 days' notice before adding or changing a sub-processor that handles personal data.

Infrastructure

Hosting & compute

Tier-1 EU cloud provider (Frankfurt, eu-central-1 region). ISO 27001, SOC 2 Type II, C5 attested. EU data residency contractually guaranteed.

Payments

Payment providers

PCI-DSS certified PSPs handle authorisation, capture, settlement and payouts — we provide the gateway and orchestration layer in front. The provider set is chosen per partner to match regional regulatory coverage and operating model; routing is dynamic across risk, cost, and availability; the mix is disclosed in the partner DPA.

Identity

KYC & sanctions screening

Vetted document verification and sanctions providers, abstracted behind a single internal endpoint (see Insights #05). Vendor list disclosed in the DPA.

Communications

Email & SMS delivery

Transactional delivery via EU-hosted providers. Marketing communications routed only after explicit opt-in captured at source.

Observability

Logs, metrics & tracing

Self-hosted within the EU region. No customer PII shipped to third-party observability vendors — at all. Operational telemetry only.

Productivity

Internal tooling

EU-residency configurations enforced on every collaboration tool. Customer data is not stored in productivity tools; only metadata required for operating the partnership.

// 05 · Incident response

What happens when something goes wrong.

No vendor is incident-free. The question is how an incident is handled — who knows, how fast, and what changes afterwards.

01 · Detect

Signal first, page second

Continuous monitoring paged engineers in under four minutes (median) across the last 12 months. Suspected security events trigger a dedicated playbook separate from operational incidents — different responders, different containment first.

02 · Notify

Partners notified inside 24h

Confirmed security incidents that affect a partner are communicated within 24 hours of confirmation — direct from engineering, not via a PR channel. GDPR Article 33 notification handled by the DPO within 72 hours as required.

03 · Close out

Public post-mortem

Every P1 results in a blameless written post-mortem shared with affected partners: timeline, contributing factors, remediation, and the action items we own to prevent recurrence. We track those action items publicly to our partners until they close.

// Partner due diligence

Want a deeper conversation?

The security pack, sub-processor list, DPA, BCP/DR summary, architecture overview, and the full product library are shared with partners on contract — not in pre-sales, to protect both sides' IP. For early conversations: security@craegroup.com. Data protection: privacy@craegroup.com.