How much does a CREASTRA website cost?

Landing — from $3,000, corporate site — from $7,500, SaaS platform — from $18,000. Final estimate after a short brief.

How long does a project take?

Landing — 3-4 weeks, corporate site — 6-10 weeks, mobile MVP — 8-14 weeks. Timeline is fixed in the contract.

Do you do franchise packaging?

Yes. Full franchise pack: brand book, ops manuals, training, marketing kit, control system. We've launched franchises in HoReCa, EdTech, retail.

Is there a delivery guarantee?

Yes. Contract-backed, KPI-fixed, with checkpoint approvals. Development comes with a 12-month bug-fix warranty.

What locations do you serve?

Studio in Moscow, projects worldwide. Remote-first, regular calls, transparent task tracker.

← Back to blog

SecurityMarch 29, 2026· 9 min read

Leak prevention: the security checklist after our 3rd enterprise client (2026)

By the third enterprise client we realised «security on request» no longer scales. We compiled a 27-item internal checklist — without it, do not bother bidding above 8M ₽.

Creastra Digest

27 items in four loops: code, infrastructure, process, people
Full rollout takes six weeks and ~380,000 ₽ in infrastructure
Once in place, the client's audit cycle shrinks from 8 weeks to 2

After the third enterprise client in 2025 I sat down and honestly reviewed our security posture. Previously we did exactly what each auditor's survey asked, and every time it was a 4–6 week chaos sprint. By early 2026 we maintain a 27-item internal checklist daily. New-client audit cycles shrank from 8 weeks to 2 as a result.

Loop 1. Code

SAST in CI on every PR (Semgrep plus a paid scanner for high-risk repos)
Dependency scanning with auto-PRs (Renovate)
Secrets only via Vault or GitHub OIDC; .env is forbidden
Pre-commit hook with gitleaks — catches leaks before push
100% of merges to main require review — no exceptions
Docker images built from distroless or Alpine and scanned with Trivy
SBOM generated per release and retained for 24 months

Loop 2. Infrastructure

Production lives in private VPCs; access via a bastion with MFA
Encryption at rest for DB and S3, KMS-managed keys rotated every 90 days
TLS 1.3 everywhere, HSTS on, SSL Labs grade A or higher
Edge WAF (Cloudflare or equivalent) with OWASP top-10 rules
Logs centralised in one place with 12-month retention
Hourly backups; restore tested quarterly
DR plan with 4 h RTO and 1 h RPO, drilled quarterly

Loop 3. Process

The most underrated loop. You can buy any software, but without a «how we respond» runbook the team chats into the void at 3 AM. We wrote an incident playbook with four levels: P1 — outage; P2 — degradation; P3 — bug with leak risk; P4 — ordinary bug. For each level we define who calls, who writes, who escalates, and by when.

Loop 4. People

Every hire completes a security onboarding in week one — two hours of theory plus a 30-minute phishing simulation
MFA on every service: Google, GitHub, Slack, 1Password, VPN
1Password as the corporate vault — no personal accounts on work services
A phishing campaign every six months with results discussed at all-hands
Off-boarding revokes access within 30 minutes via a 14-item checklist
Remote work only on managed laptops with FileVault/BitLocker

What most enterprises ask for

Across three 2024–2025 audits we built up the pain pattern. Common asks: ISO 27001-equivalent practices (no mandatory certification), a standalone DPA, a documented DPIA process, a data-flow diagram with PII annotations, an incident response policy, and a 12-month CVE history of our dependencies. All these artefacts live in a shared «security-pack» folder, refreshed quarterly.

What we deliberately do not do

We do not certify ISO 27001 — overkill at our size
We do not run an in-house SOC — monitoring is outsourced to a managed provider
We do not promise pentests on every project — that is a client cost, not ours
We do not lean on «zero trust» as a buzzword — we list exactly what is in place

Loop 1. Code

SAST in CI on every PR (Semgrep plus a paid scanner for high-risk repos)

Dependency scanning with auto-PRs (Renovate)

Secrets only via Vault or GitHub OIDC; .env is forbidden

Pre-commit hook with gitleaks — catches leaks before push

100% of merges to main require review — no exceptions

Docker images built from distroless or Alpine and scanned with Trivy

SBOM generated per release and retained for 24 months

Loop 2. Infrastructure

Production lives in private VPCs; access via a bastion with MFA

Encryption at rest for DB and S3, KMS-managed keys rotated every 90 days

TLS 1.3 everywhere, HSTS on, SSL Labs grade A or higher

Edge WAF (Cloudflare or equivalent) with OWASP top-10 rules

Logs centralised in one place with 12-month retention

Hourly backups; restore tested quarterly

DR plan with 4 h RTO and 1 h RPO, drilled quarterly

Loop 3. Process

Loop 4. People

Every hire completes a security onboarding in week one — two hours of theory plus a 30-minute phishing simulation

MFA on every service: Google, GitHub, Slack, 1Password, VPN

1Password as the corporate vault — no personal accounts on work services

A phishing campaign every six months with results discussed at all-hands

Off-boarding revokes access within 30 minutes via a 14-item checklist

Remote work only on managed laptops with FileVault/BitLocker

What most enterprises ask for