Security

Secure Data Centers: We utilize Amazon Web Services (AWS) data centers, renowned for their enterprise-grade physical and network security. Clients have the flexibility to store data in our US, EU, or Canada regions, with strict protocols ensuring data remains within the chosen region.

• Advanced Encryption: All data, both at rest and in transit, is encrypted. Personally Identifiable Information (PII) receives an additional layer of application-level encryption to bolster protection.
• Robust Network Segmentation: Our infrastructure maintains distinct networks for web servers and databases. We implement continuous monitoring and logging of system access, with each employee and tool assigned unique credentials to ensure accountability.
• Proactive Security Practices: Our development team employs both Dynamic Application Security Testing (DAST) and Static Application Security Testing (SAST) tools, integrating security measures early in the development lifecycle.
• Regular Penetration Testing: Annually, we engage independent, CREST-certified firms to conduct penetration tests based on the latest standards, complemented by automated weekly scans. Our methodologies align with frameworks such as NIST SP 800-115, OWASP Web Security Testing Guide, and the Penetration Testing Execution Standard.

Credentially aligns with industry-standard compliance frameworks to ensure our internal controls and processes meet or exceed requirements for securing customer data and maintaining product infrastructure availability. Our certifications and attestations include:

ISO 27001:2022: Demonstrating our commitment to information security management.

GDPR Compliance: Ensuring that employee records are securely maintained in full compliance with the General Data Protection Regulation.

Cyber Essentials Plus: Highlighting our dedication to robust cybersecurity measures.

NHS DSP Toolkit - Standards Exceeded: Reflecting our adherence to the UK's National Health Service Data Security and Protection standards.

NHS DTAC: Complying with the Digital Technology Assessment Criteria for health and social care.

ICO Registration: Registered with the Information Commissioner's Office, underscoring our commitment to data protection.

For detailed documentation of our compliance against global standards, including certifications, attestations, and audit reports, please refer to the respective links provided on our website.

We prioritize the secure handling of employee records in accordance with GDPR. Our measures include:

Data Transparency: Clear visibility into data storage locations.

User Rights: Facilitating data access, amendments, and erasure upon request.

Data Portability: Ensuring clients are not locked in and can transfer their data as needed.

Access Control: Providing tools to manage and restrict data access, aiding organizations in fulfilling their responsibilities as data controllers.

For our EU and UK customers who select our European environment, all data is exclusively stored in London, UK, ensuring compliance with regional data residency requirements.

Credentially establishes a Data Processing Agreement with all customers, committing to processing data transfers in accordance with GDPR's Standard Contractual Clauses. Additionally, we offer customers control over their data storage locations.

Our dedicated Data Protection Officer can be contacted at dpo@credentially.io for any data protection inquiries or concerns.

High Availability: Our fault-tolerant infrastructure ensures service availability even during periods of extreme demand.

Real-Time Monitoring: Clients can access live uptime statistics and subscribe to system incident and downtime alerts at our status page.

Service Level Agreement (SLA): Credentially provides a standard SLA to all customers, detailing our commitment to service reliability and performance.

For further inquiries or support, please reach out to us at: