System Security and Resilience Notice
Product and Service Security
All product systems are scanned for vulnerabilities at least annually, or in response to any significant changes to our Services, and all vulnerability findings are reported, tagged, and tracked to resolution. Records of findings are retained for a minimum of 5 years. Penetration testing is performed by CRED’s security team and/or an independent third party. Findings from a vulnerability scan and/or penetration test are analyzed in conjunction with the Security Officer, IT and our engineering team.
CRED adheres to a Software Development Lifecycle Policy. This policy defines the process requirements for providing business program managers, business project managers, technical project managers, and other program and project stakeholders guidance to support the approval, planning, and life-cycle development of CRED Investments software systems to ensure their processes are repeatable, and that they maintain Personal Data secure and confidential at every stage of the process.
We thoroughly assess our code for functionality and potential security efficacy at each stage of development and maintenance. All software deployed on Corporate or Hosted infrastructure actively addressed security issues covered by SAN and OWASP. Any modifications to the source code follow established change management procedures. Prior to deployment, our code undergoes both automated and manual testing.
CRED's APIs are built to deliver a reliable and scalable solution for Corporate Clients, while ensuring security measures. Every API request requires authentication using the account holder's confidential API key via HTTP Basic Auth. We also extend support for OAuth 2.0, enabling third-party applications to access our service. To protect against malicious traffic, CRED implements a range of rate limiting controls.
Data Encryption
CRED’s Encryption Policy defines organizational requirements for the use of cryptographic controls, as well as the requirements for cryptographic keys, including Virtual Private Network keys and website SSL Certificates, in order to protect the confidentiality, integrity, authenticity, and nonrepudiation of information. This policy applies to all systems, equipment, facilities and information within the scope of CRED’s information security program. All employees, contractors, part-time, and temporary workers, service providers, and those employed by others to perform work on behalf of CRED having to do with cryptographic systems, algorithms, or keying material are subject to this policy and must comply with the policy and its guidelines.
Surveillance and Monitoring
Business Continuity
Disaster Recovery
CRED has a disaster recovery plan that outlines roles and responsibilities for key personnel involved in business continuity, our plan to activate and respond to a disaster by detecting, assessing and classifying any damage, our recovery plan to restore temporary operations and recover damage done to the original systems, and the reconstruction to restore system capabilities to normal operations. Exercises are performed at least annually to assess the various teams readiness and ability to exercise the plan.
Vendor Security
CRED has in place a Vendor Management Program that establishes requirements for ensuring third-party service providers/vendors meet CRED’s requirements for preserving and protecting the data and information of CRED and its Corporate Clients. This program applies to all vendors and partners who have the ability to impact the confidentiality, integrity, and availability of CRED and its Corporate Clients' sensitive Personal Data. This program also applies to all employees and contractors that are responsible for the management and oversight of vendors and partners.
Incident Reporting
If you have any questions about CRED’s security program or you need to escalate a security concern, please contact us at privacy@credinvestments.com. We have a team responsible for security incident response that can assist. To report an identified security vulnerability in our applications, please email us at privacy@credinvestments.com.
