Handling sensitive data is the whole job. Here is how we protect it.
Credibled provides background screening and identity verification for employers and organizations. We act as a data processor for our business clients, and we build security and privacy into how the platform is designed and run. This page summarizes who we are, the controls we operate, and how to request our documentation.
Security controls
8 controlsThe measures below are documented in our internal security policies. Policy summaries and our signed Data Processing Agreement are available on request.
Canadian data residency
Production data is hosted on Amazon Web Services in the Canada (Central) region (ca-central-1). Data stays within Canadian infrastructure unless a specific subprocessor requires processing elsewhere.
Encryption
Production data is encrypted at rest using keys managed by Credibled, and data in transit is protected using encryption.
Access control and authentication
Access to production is disabled by default and granted through a documented approval process on a least-privilege basis. Unique accounts, role-based access, single sign-on, and multi-factor authentication are enforced, and shared or default accounts are disabled.
Data segregation
Client data is logically separated using a unique customer identifier, and API access tokens restrict data access to the authenticating account.
Logging and monitoring
Access to production is logged. Monitoring includes activity and file-integrity monitoring and vulnerability scanning.
Incident and breach response
A documented breach management process is coordinated by our Security Officer. For personal data processed on behalf of a client, we notify the client without undue delay and within seventy-two hours of becoming aware of a breach.
Personnel and confidentiality
Workforce members are bound by confidentiality obligations and complete access and security awareness training during onboarding and on the job.
Data retention and disposal
Records are kept for defined retention periods and disposed of using secure methods, with de-identification or anonymization where appropriate.
Documents
Legal documents are available to view. Security and governance policies are shared with prospective and current clients on request. Full policies are shared under a non-disclosure agreement; summaries can be shared on reasonable request.