System Security Notice

Last updated: January 2025

At CRED, security is a foundational principle that guides every aspect of our platform design, development, and operations. We understand that our customers entrust us with sensitive business data, and we take that responsibility seriously. This System Security Notice provides an overview of the technical and organizational security measures we implement to protect your data and maintain the integrity, availability, and confidentiality of the CRED platform.

Our security program is built on industry-recognized frameworks and best practices, including SOC 2 and the NIST Cybersecurity Framework. We undergo regular independent audits and assessments to validate the effectiveness of our controls and continuously improve our security posture in response to evolving threats and regulatory requirements.

Security Overview

CRED's security program is managed by a dedicated security team that reports directly to the Chief Technology Officer. The team is responsible for establishing and enforcing security policies, conducting risk assessments, managing vulnerability programs, overseeing incident response, and ensuring compliance with applicable regulatory requirements. Our security strategy is based on a defense-in-depth approach, employing multiple layers of security controls at every level of the technology stack.

We maintain a comprehensive information security management system (ISMS) that covers all aspects of our operations, including asset management, access control, cryptography, physical security, operations security, communications security, system acquisition and development, supplier relationships, incident management, business continuity, and compliance. This ISMS is reviewed and updated at least annually, or more frequently in response to significant changes in the threat landscape or our business operations.

CRED has established a security governance framework that includes a formal risk management process, regular security steering committee meetings, defined security roles and responsibilities, and clear escalation procedures. Security considerations are embedded into our product development lifecycle through security design reviews, threat modeling, secure coding practices, and automated security testing.

Infrastructure

The CRED platform is hosted on enterprise-grade cloud infrastructure provided by Amazon Web Services (AWS) and Google Cloud Platform (GCP), both of which maintain SOC 2 and numerous other industry certifications. Our infrastructure is deployed across multiple availability zones within each region to ensure high availability and fault tolerance. We leverage containerized microservices architecture with automatic scaling to handle varying workloads and maintain consistent performance.

Our network architecture implements strict segmentation to isolate different components of the platform and limit the blast radius of potential security incidents. We use virtual private clouds (VPCs) with network access control lists (NACLs) and security groups to restrict traffic between services. All external-facing services are protected by web application firewalls (WAFs) and distributed denial-of-service (DDoS) mitigation services. We maintain separate environments for development, staging, and production, with strict controls governing the promotion of code and configuration changes between environments.

Database systems are deployed in private subnets with no direct internet access. All database connections are authenticated and encrypted. We implement automated backup procedures with point-in-time recovery capabilities, and backup data is encrypted and stored in a geographically separate location from the primary database. Our disaster recovery plan includes recovery point objectives (RPO) of 1 hour and recovery time objectives (RTO) of 4 hours, validated through regular testing.

Encryption

CRED employs strong encryption standards to protect data at every stage of its lifecycle. All data transmitted between clients and the CRED platform is encrypted using Transport Layer Security (TLS) 1.2 or higher. We enforce HTTP Strict Transport Security (HSTS) headers and support only strong cipher suites that provide forward secrecy. Our TLS configuration is regularly audited and updated to reflect current best practices and to address newly discovered vulnerabilities.

Data at rest is encrypted using AES-256 encryption. This includes all database storage, object storage, backup data, and log files. Encryption keys are managed through dedicated key management services (AWS KMS and GCP Cloud KMS) with hardware security module (HSM) backing. Key rotation is performed automatically on a regular schedule, and access to encryption keys is strictly controlled and logged. We implement envelope encryption patterns where appropriate, with data encryption keys (DEKs) protected by key encryption keys (KEKs) that are stored separately from the encrypted data.

Sensitive application-level data, such as API keys, access tokens, and credentials, is encrypted using application-layer encryption in addition to storage-level encryption. We use dedicated secrets management systems to store and distribute sensitive configuration data, with access controls and audit logging for all secret access operations.

Access Controls

CRED implements the principle of least privilege across all systems and personnel access. Access to production systems, customer data, and sensitive infrastructure is restricted to authorized personnel who require such access to perform their job functions. All access is granted on a need-to-know basis and is subject to regular review and recertification.

Multi-factor authentication (MFA) is required for all employee access to internal systems, including email, code repositories, cloud consoles, and production environments. We use single sign-on (SSO) with centralized identity management to ensure consistent authentication policies across all services. Privileged access to production systems is managed through just-in-time (JIT) access provisioning, where elevated permissions are granted for limited time periods and automatically revoked upon expiration.

For customers, the CRED platform supports role-based access control (RBAC) with customizable roles and permissions. Organization administrators can define access policies, manage user roles, enforce MFA requirements, and configure IP allowlists. We also support integration with enterprise identity providers through SAML 2.0 and OpenID Connect (OIDC) for seamless single sign-on. All authentication events and access changes are logged and available for audit purposes.

Monitoring

CRED maintains comprehensive monitoring and logging capabilities to detect, investigate, and respond to security events in real time. We collect and centralize logs from all system components, including application servers, databases, network devices, authentication systems, and security tools. Log data is stored in a tamper-evident, append-only format and retained for a minimum of twelve (12) months.

Our security operations center (SOC) monitors the platform 24/7/365 using a combination of automated alerting, security information and event management (SIEM) systems, and threat intelligence feeds. We employ anomaly detection and behavioral analytics to identify suspicious activities, such as unusual access patterns, data exfiltration attempts, and credential abuse. Critical alerts are escalated to on-call security engineers for immediate investigation and response.

We conduct regular vulnerability scanning of all externally facing and internal systems using both automated tools and manual assessments. Critical and high-severity vulnerabilities are triaged and remediated within defined SLA timelines (critical: 24 hours, high: 72 hours, medium: 30 days). We also engage independent third-party firms to conduct annual penetration testing of our platform and infrastructure, with findings addressed according to our vulnerability management process.

Incident Response

CRED maintains a documented incident response plan that defines procedures for identifying, containing, eradicating, recovering from, and learning from security incidents. The plan establishes clear roles and responsibilities, communication protocols, and escalation procedures. Our incident response team includes representatives from security, engineering, legal, communications, and executive leadership.

In the event of a security incident that affects customer data, CRED will notify affected customers without undue delay, and in any event within seventy-two (72) hours of becoming aware of the incident. Notifications will include a description of the incident, the types of data affected, the measures taken to contain and remediate the incident, and recommendations for any steps customers should take to protect themselves.

We conduct tabletop exercises and simulated incident response drills at least twice annually to test the effectiveness of our incident response procedures and identify areas for improvement. Following each exercise and real incident, we conduct a post-incident review to capture lessons learned and update our procedures, controls, and training as appropriate.

Compliance

CRED maintains the following certifications and compliance attestations to demonstrate our commitment to security and data protection:

  • SOC 2 Type II — CRED undergoes an annual SOC 2 Type II audit conducted by an independent third-party auditor. The audit evaluates our controls related to security, availability, processing integrity, confidentiality, and privacy. Our most recent SOC 2 report is available to customers and prospective customers under NDA upon request.
  • GDPR Compliance — CRED is committed to compliance with the European Union General Data Protection Regulation. We have implemented comprehensive data protection measures, including data processing agreements, privacy impact assessments, data subject rights fulfillment procedures, and lawful transfer mechanisms (Standard Contractual Clauses) for international data transfers.
  • CCPA Compliance — CRED complies with the California Consumer Privacy Act, providing California residents with rights to access, delete, and opt out of the sale of their personal information. We do not sell personal information.

Customers may request copies of our SOC 2 Type II report, penetration testing executive summary, and other compliance documentation by contacting our security team. We also maintain a security questionnaire (CAIQ) and participate in trust and security review processes as required by our customers' vendor management programs.

Employee Security

CRED recognizes that our employees are a critical component of our security posture. All employees undergo comprehensive background checks prior to joining the company, including criminal history, employment verification, and education verification, to the extent permitted by applicable law. Employment offers are contingent upon the satisfactory completion of these checks.

Every employee is required to complete security awareness training upon hire and annually thereafter. Training covers topics including phishing awareness, social engineering, password hygiene, data handling and classification, incident reporting, and compliance with our information security policies. We conduct regular phishing simulations to test employee awareness and provide targeted training to individuals who fail these tests.

All employees sign confidentiality and non-disclosure agreements as a condition of employment. Access to customer data is restricted to employees whose job functions require it, and such access is logged and auditable. Upon termination of employment, all access is immediately revoked, company devices are collected and securely wiped, and exit procedures ensure that all confidential information is returned or destroyed.

Responsible Disclosure

CRED welcomes and encourages responsible disclosure of security vulnerabilities. If you believe you have discovered a security vulnerability in our platform, please report it to our security team at security@credplatform.com. We ask that you provide a detailed description of the vulnerability, steps to reproduce it, and any supporting evidence. We commit to acknowledging receipt of your report within 24 hours and providing regular updates on our investigation and remediation progress.

Contact Information

For security-related inquiries or to request compliance documentation, please contact: