We're secure and GDPR compliant

It's our speciality

Security

Data Centers

All data is secured in Amazon Web Services (AWS) datacenters with enterprise-grade physical and network security. Data can be stored in our US-, EU-, or Canada-based regions. Data is not travelling across the regions.

Encryption

Data is encrypted at rest and in transit, and PII is protected with an additional layer of application encryption.

Defense in Depth

Credentially maintains separate networks for webservers and databases, detects and logs access to systems, and grants unique credentials for each employee and tool.

Shift Left

Our developers are proactive when it comes to security and use both DAST and SAST security scanning tools.

Penetration Testing

We work with some of the best external independent specialist firm to conduct a CREST-certified penetration testing that is based on the latest every year and an automated scan on a weekly basis.

All testing performed is based on the NIST SP 800-115 Technical Guide to Information SecurityTesting and Assessment, OWASP Web Security Testing Guide and the Penetration TestingExecution Standard frameworks.

📄 CREST Pen Test certificate

Compliance

Credentially adheres to industry-standard compliance frameworks. This ensures that our internal controls and processes meet and exceed requirements in securing customer data and the availability of our product infrastructure. Documentation of our compliance against global standards including certifications, attestations, and audit reports.

  1. ISO 27001:2022 (📄 certificate)
  2. GDPR
  3. Cyber Essentials Plus (📄 certificate)
  4. NHS DSP Toolkit - Standards Exceeded (📄 certificate)
  5. NHS DTAC
  6. ICO registration (📄 certificate)
  7. CREST Pen Test certificate (📄 certificate)

GDPR Compliance

We ensure your employee records are kept securely and in a manner compliant with GDPR. We set up record keeping, provide audit tools and handle subject access requests by your data subjects (your staff).

  • We know where your data is being held
  • You can view, amend and erase your data
  • Your data is portable, so you are not locked in
  • You control who can access your data
  • We provide you with tools to meet your responsibilities as a data controller and help your organisation keep your employee data compliant with GDPR

You can review the exact security standards we use here and read our privacy policy.

Data Residency

If our EU and UK customers select our European environment, their datawill only be stored in London, UK.

DPA - Data Processing Agreement

Credentially puts in place a DPA (data processing agreement) with all customers, whereby Credentially commits to processing data transfers in accordance with GDPR’s Standard Contractual Clauses. In addition, we offer Customers control over where their data is stored.

DPO - Data Protection Officer

You can also contact our Data Protection Officer at dpo@credentially.io

Service Levels, Reliability and Uptime

Uptime

Fault-tolerant infrastructure ensures availability even during extreme demand.

Live uptime and subscription to system incident and downtime alerts are always available at https://status.credentially.io

Service Level Agreement

Credentially provides a standard SLA to all it’s customers. It is available here

Policies

Please see our policies on the Terms and Policy

All security policies