Skip to content
Trust & Security

Handling sensitive data is the whole job. Here is how we protect it.

Credibled provides background screening and identity verification for employers and organizations. We act as a data processor for our business clients, and we build security and privacy into how the platform is designed and run. This page summarizes who we are, the controls we operate, and how to request our documentation.

Toronto, Ontario, Canada Last reviewed: July 7, 2026 Data hosted in Canada

Security controls

8 controls

The measures below are documented in our internal security policies. Policy summaries and our signed Data Processing Agreement are available on request.

Canadian data residency

Production data is hosted on Amazon Web Services in the Canada (Central) region (ca-central-1). Data stays within Canadian infrastructure unless a specific subprocessor requires processing elsewhere.

Encryption

Production data is encrypted at rest using keys managed by Credibled, and data in transit is protected using encryption.

Access control and authentication

Access to production is disabled by default and granted through a documented approval process on a least-privilege basis. Unique accounts, role-based access, single sign-on, and multi-factor authentication are enforced, and shared or default accounts are disabled.

Data segregation

Client data is logically separated using a unique customer identifier, and API access tokens restrict data access to the authenticating account.

Logging and monitoring

Access to production is logged. Monitoring includes activity and file-integrity monitoring and vulnerability scanning.

Incident and breach response

A documented breach management process is coordinated by our Security Officer. For personal data processed on behalf of a client, we notify the client without undue delay and within seventy-two hours of becoming aware of a breach.

Personnel and confidentiality

Workforce members are bound by confidentiality obligations and complete access and security awareness training during onboarding and on the job.

Data retention and disposal

Records are kept for defined retention periods and disposed of using secure methods, with de-identification or anonymization where appropriate.

Regulatory framework. Credibled operates under Canadian privacy law, principally PIPEDA and applicable provincial law. Where the EU or UK GDPR applies to a processing activity, those requirements apply. For US background checks, Credibled and its providers operate consistent with the Fair Credit Reporting Act (FCRA).
Security and compliance. Credibled operates a documented information security program covering access control, encryption, monitoring, and incident response, with data hosted in Canada. Credibled is not currently SOC 2 Type II or ISO 27001 certified and is actively working toward SOC 2. Policy summaries and our signed Data Processing Agreement are available on request.

Documents

Legal documents are available to view. Security and governance policies are shared with prospective and current clients on request. Full policies are shared under a non-disclosure agreement; summaries can be shared on reasonable request.

SecurityAvailable upon request
Data Protection PolicySummary available; full policy under NDA Request
Password PolicySummary available; full policy under NDA Request
System Access Control PolicySummary available; full policy under NDA Request
Acceptable Use PolicyAvailable under NDA Request
Architecture DiagramAvailable under NDA Request
PoliciesAvailable upon request
Code of ConductAvailable under NDA Request
Legal4 public · 2 on request
Privacy Policy View
Terms of ServiceBusiness and organizational use View
MyCheck Terms of ServiceConsumer product (Canada) View
Data Processing Agreement View
Signed Data Processing AgreementAvailable under NDA Request
List of SubprocessorsAvailable under NDA Request