USA: Security Overview

Data security

Secure Data Centers: We utilize Amazon Web Services (AWS) data centers, renowned for their enterprise-grade physical and network security. Clients have the flexibility to store data in our US, EU, or Canada regions, with strict protocols ensuring data remains within the chosen region.

Advanced Encryption: All data, both at rest and in transit, is encrypted. Personally Identifiable Information (PII) receives an additional layer of application-level encryption to bolster protection.
Robust Network Segmentation: Our infrastructure maintains distinct networks for web servers and databases. We implement continuous monitoring and logging of system access, with each employee and tool assigned unique credentials to ensure accountability.
Proactive Security Practices: Our development team employs both Dynamic Application Security Testing (DAST) and Static Application Security Testing (SAST) tools, integrating security measures early in the development lifecycle.
Regular Penetration Testing: Annually, we engage independent, CREST-certified firms to conduct penetration tests based on the latest standards, complemented by automated weekly scans. Our methodologies align with frameworks such as NIST SP 800-115, OWASP Web Security Testing Guide, and the Penetration Testing Execution Standard.

Company and Platform Overview

Credentially is a workforce compliance and credentialing platform used by regulatedorganizations to securely manage employee records and compliance workflows.

The platform is specifically designed to support healthcare organizations managing sensitive workforce data including clinician credentials, employee compliance records, and personally identifiable information (PII). Security, privacy, and regulatory compliance are core to the product design and operating model. Credentially continuously monitors its security posture and maintains documented, audited controls aligned with global security standards.

For US healthcare customers, Credentially aligns its security program with HIPAA Security Rule principles and operates as a service provider capable of supporting Business Associate Agreement (BAA) discussions where applicable.

Architecture and Data Residency

Infrastructure and Network Architecture

Credentially is hosted entirely on Amazon Web Services (AWS) infrastructure,leveraging enterprise-grade physical security, network controls, and compliance certifications inherent to the AWS platform.
‍
The platform architecture maintains:

Logical isolation between application, network, and database layers
Separate environments for production and non-production workloads
Fault-tolerant infrastructure designed for high availability and resilience
Enterprise-grade physical security provided by AWS data centers

Data Residency and Geographic Controls

Regional data residency is supported across multiple jurisdictions to meet data sovereignty requirements:

United States
European Union and United Kingdom (London)
Canada

For US healthcare customers, data is hosted in AWS US regions. Customer data does not move across regions or leave the selected region explicitly configured by the customer.

Data Handling and Ownership

Customers retain full ownership of their data at all times. Credentially acts as a dataprocessor under GDPR and as a service provider under HIPAA where applicable. Theplatform supports comprehensive data subject rights including:

Data access and retrieval
Data correction and amendment
Data deletion and right to be forgotten
Data portability and export

Contractual Frameworks

A Data Processing Agreement (DPA) incorporating GDPR Standard Contractual Clauses is in place for all customers. For healthcare organizations handling Protected Health Information (PHI), Credentially can support Business Associate Agreement(BAA) discussions as required under HIPAA.

Security Controls

Access Controls and Authentication

Credentially enforces comprehensive access controls across the platform:

Role-based access control (RBAC) enforcing least-privilege access principles
Unique user accounts for all employees and system accounts
Multi-factor authentication (MFA) enforced for supported access paths
Administrative access restricted to authorized personnel and centrally logged
Regular access reviews and recertification managed through formal access control policies

Note: Specific information regarding SSO/SAML integration capabilities and specific password policy requirements is available upon request.

Encryption Standards

All customer data is protected using industry-standard encryption:

Encryption in transit: TLS 1.2 or higher for all data transmission
Encryption at rest: Industry-standard AES-256 encryption for stored data
Additional application-level encryption applied to personally identifiable information (PII)
Encryption key management handled securely using AWS-native key management services

Monitoring, Logging and Threat Detection

Credentially maintains continuous security monitoring and logging capabilities:

Centralized logging and monitoring across infrastructure and application layers
Continuous security posture monitoring and configuration management
Automated malware detection and alerting
System access events, administrative actions, and security events logged and reviewed
Public system uptime and incident notifications available at https://status.credentially.io

Security event logs are retained and monitored to support incident investigation,forensic analysis, and compliance requirements.

Secure Development Lifecycle and Vulnerability Management

Secure Software Development

Credentially follows a secure development lifecycle with integrated "shift-left" security practices throughout the development process:

Static Application Security Testing (SAST) integrated into the development pipeline
Dynamic Application Security Testing (DAST) performed on running applications
Security testing integrated before code reaches production environments

Vulnerability Scanning and Penetration Testing

Automated vulnerability scanning performed weekly across infrastructure and applications
Annual independent third-party penetration testing conducted by CREST-certified security firms
Penetration testing aligned with NIST SP 800-115, OWASP Web Security Testing Guide, and Penetration Testing Execution Standard (PTES)

Identified vulnerabilities are triaged, remediated, and tracked through resolutionaccording to risk-based prioritization.

Compliance and Certifications

Credentially maintains audited and documented compliance against recognized global standards.

SOC 2 Type II

SOC 2 Type II Certified. Audit Complete

ISO 27001:2022

ISO 27001:2022 certified

HIPAA

Security program aligned with HIPAA Security Ruleprinciples. Business Associate Agreement (BAA) discussions supported where applicable.

GDPR

Compliant (UK and EU aligned)

NHS DSP Toolkit

Standards Exceeded

Cyber Essentials Plus

Certified

ICO (UK DataProtection)

Registered

NHS DTAC

Certified

Note: Compliance documentation, certificates, and attestations are available upon request through the Credentially trust center or via your account representative.

Incident Response and Business Continuity

Incident Response Capabilities

Credentially maintains a comprehensive incident response program designed to detect, respond to, and recover from security incidents:

Written incident response plan with defined roles, responsibilities, and escalation paths
Dedicated incident response team trained in incident handling procedures
Breach notification procedures handled in line with contractual and regulatory requirements
Continuous monitoring and automated alerting for security events

Business Continuity and Disaster Recovery

The platform is designed for resilience and continuous availability:

Daily database backups to ensure data recoverability
Tested disaster recovery plan to restore operations following major incidents
Fault-tolerant infrastructure designed for high availability across multiple availability zones
Infrastructure redundancy to minimize single points of failure

Note: Please request detailed DR/BC specifications separately if required for security assessment.

Security Governance and Organizational Structure

Credentially maintains formal security governance through documented policies, regular reviews, and continuous improvement of security controls. Security and compliance activities are integrated into organizational operations at all levels.

Vendor Risk Management and Sub-Processors

Primary Infrastructure Provider

Amazon Web Services (AWS) serves as the primary infrastructure provider for Credentially. AWS maintains extensive security certifications including SOC 2, ISO27001, HIPAA, and FedRAMP, and provides enterprise-grade physical security, network controls, and compliance frameworks.

Sub-Processor Management

All sub-processors are contractually bound to equivalent security and privacy obligations as Credentially. Sub-processor risk is evaluated and reviewed as part ofvendor risk management processes. Customers may request additional details,notifications regarding sub-processor changes, or a complete sub-processor list.

Security Controls Summary

Is data encrypted at rest and in transit?

Yes. All data is encrypted at rest using AES-256 encryption and in transit using TLS 1.2 or higher. Additional application-level encryption is applied to personally identifiable information (PII) for enhanced protection.

Do you support least-privilege access?

Yes. Role-based access control (RBAC) and unique user accounts enforce least-privilege access principles across the platform. Access permissions are granted based on job function and reviewed regularly.

Is multi-factor authentication (MFA) supported?

Yes. Multi-factor authentication (MFA) is enforced for supported access paths to add an additional layer of security beyond passwords.

Do you maintain audit logs?

Yes. System access events, administrative actions, and security events are centrallylogged and monitored. Audit logs support compliance requirements, securityinvestigations, and forensic analysis.

How do you handle vulnerability management?

Automated weekly vulnerability scanning is performed across infrastructure andapplications. Annual independent third-party penetration testing is conducted byCREST-certified security firms, aligned with NIST SP 800-115, OWASP, and PTESstandards. Identified vulnerabilities are triaged and remediated according to risk-basedprioritization.

What is your backup
and disaster recovery approach?

Daily database backups ensure data recoverability. A documented and tested disasterrecovery plan is maintained, supported by fault-tolerant infrastructure designed for highavailability across multiple availability zones.

Do you support SSO/SAML integration?

Information not available in provided documentation. Please contact your Credentiallyrepresentative for details on SSO and SAML integration capabilities.

What are your password policy requirements?

Information not available in provided documentation. Please contact your Credentiallyrepresentative for detailed password policy specifications including complexityrequirements, rotation policies, and password history rules.

Data Processing and Privacy Documentation

Credentially provides comprehensive data processing and privacy documentation tosupport contractual requirements and regulatory compliance:

Privacy Policy outlining data handling practices
Data Processing Agreement (DPA) incorporating GDPR Standard Contractual Clauses
GDPR compliance documentation demonstrating data subject rights support
Data residency controls and geographic data hosting specifications
Data retention and deletion policies and procedures
Business Associate Agreement (BAA) for HIPAA-covered entities where applicable

USA Security Overview