System Security and Resilience Notice
Product and Service Security
All product systems are scanned for vulnerabilities at least annually, or in response to any significant changes to our Services, and all vulnerability findings are reported, tagged, and tracked to resolution. Records of findings are retained for a minimum of 5 years. Penetration testing is performed by CRED’s security team and/or an independent third party. Findings from a vulnerability scan and/or penetration test are analyzed in conjunction with the Security Officer, IT and our engineering team.
CRED adheres to a Software Development Lifecycle Policy. This policy defines the process requirements for providing business program managers, business project managers, technical project managers, and other program and project stakeholders guidance to support the approval, planning, and life-cycle development of CRED Investments software systems to ensure their processes are repeatable, and that they maintain Personal Data secure and confidential at every stage of the process.
We thoroughly assess our code for functionality and potential security efficacy at each stage of development and maintenance. All software deployed on Corporate or Hosted infrastructure actively addressed security issues covered by SAN and OWASP. Any modifications to the source code follow established change management procedures. Prior to deployment, our code undergoes both automated and manual testing.
CRED's APIs are built to deliver a reliable and scalable solution for Corporate Clients, while ensuring security measures. Every API request requires authentication using the account holder's confidential API key via HTTP Basic Auth. We also extend support for OAuth 2.0, enabling third-party applications to access our service. To protect against malicious traffic, CRED implements a range of rate limiting controls.