Security Policy

Scope

This Security Policy applies to all Credenti-managed systems, including SaaS and on-premises deployments, mobile apps, APIs, and supporting infrastructure. It governs the actions of employees, contractors, and third-party partners involved in delivering, maintaining, or supporting identity and access management services.

Policy Ownership

This policy is reviewed and updated at least annually or in response to significant architectural or regulatory changes. The Chief Information Security Officer (CISO) is responsible for the implementation, oversight, and maintenance of this policy.

Credenti delivers passwordless, phishing-resistant identity solutions backed by industry-leading security practices. Our security program is structured around Physical, Technical, and Administrative Controls to protect user identities, platform integrity, and customer data.

Technical Security Measures

Encryption & Data Protection

  • AES-256 encryption for data at rest via AWS KMS
  • TLS 1.2/1.3 with certificate pinning for data in motion
  • Per-tenant key isolation using HSM-backed KMS
  • Automated key rotation and lifecycle management

Secret Management

  • No hardcoded secrets in code or configuration
  • Secrets managed using Kubernetes controllers and AWS KMS
  • Secret lifecycle controls for creation, rotation, and revocation
  • Audit trails and anomaly detection via AWS CloudTrail

Platform & Application Security

  • Hosted on AWS with WAF, Shield, and Firewall Manager
  • Rate limiting and DDoS mitigation at multiple layers
  • Tenant-level logical data segregation
  • Production data and encryption keys are not accessible to internal teams

Secure Development & DevOps

  • CI/CD pipelines with SCA scans on dependencies
  • Static Application Security Testing (SAST) integrated into build pipelines to identify code-level vulnerabilities early
  • Dynamic Application Security Testing (DAST) performed on running applications and APIs
  • Infrastructure as code with security scanning (e.g., Amazon Inspector)
  • Hardened admin access via jump-boxes and IP whitelisting
  • Internal and external penetration testing

Secure Development & Security Testing Practices

  • Formal Secure Software Development Lifecycle (SSDLC) aligned with OWASP best practices and OWASP Top 10 risk mitigation guidelines, with controls continuously validated against the latest OWASP Top 10 categories
  • Threat modeling conducted during design phases to identify and mitigate architectural risks
  • Regular red teaming exercises to simulate real-world attack scenarios and validate defensive controls
  • Continuous security testing integrated throughout development, staging, and production environments
  • Security-focused peer code reviews for high-risk components and features

Monitoring & Observability

  • Continuous system health and performance monitoring
  • Real-time alerts for anomalies and errors
  • Comprehensive audit trails for sign-ins and admin actions
  • SIEM-compatible logging for enterprise integration

Vulnerability Management

  • Continuous scanning using Amazon Inspector and integrated CI/CD analysis
  • Timely remediation based on CVSS scores and exploitability
  • Third-party and open-source dependencies tracked and reviewed
  • Monthly internal and annual third-party penetration testing

On-Premises Security Controls

  • All customer data remains within the customer network, ensuring data sovereignty
  • Customers retain full ownership of data and audit logs
  • Option to configure separate Kubernetes (K8s) clusters for sub-organizations or business units
  • Secure Kubernetes access best practices:
    • Authenticate from enterprise-managed devices
    • Integrate with identity providers (e.g., Entra, Okta) for SSO
    • Enforce MFA using hardware tokens (e.g., YubiKey)
    • Manage access via PAM solutions
    • Require hardened jump servers or bastion hosts
    • Rotate SSH credentials and log all access attempts

Administrative Security Measures

Compliance & Governance

  • SOC 2 Type II, SOC 1 Type II
  • GDPR, PCI DSS, CFR Part 11
  • ISO 27001 certified
  • Designed for HIPAA, GDPR, and NIST SP 800-63 alignment
  • Regional hosting options for data residency

Policies & Access Control

  • Role-based access controls (RBAC)
  • Secure Software Development Lifecycle (SSDLC)
  • Change management and quarterly access reviews

Security Awareness & Training

  • Required training for all employees
  • Role-based access enforcement
  • Regular phishing simulations

Incident Response

  • 24/7 security operations
  • Documented and tested Incident Response Plan (IRP)
  • SLAs for detection, response, and communication

Service Continuity & Disaster Recovery

  • Multi-region, multi-AZ AWS infrastructure
  • DR Plan with defined RTO/RPO
  • Encrypted backups and failover testing
  • DR validated by SOC 2 and ISO audits

Audits & Corrective Actions

  • Audit logs for authentication and admin events
  • Full traceability of system changes
  • Internal audits with corrective action
  • SIEM integration and audit support

Vendor Risk Management

  • Security due diligence and compliance for all vendors
  • Data Protection Agreements (DPAs)
  • Quarterly vendor access reviews
  • AWS compliance with FedRAMP, ISO 27001, SOC 2

Physical Security Measures

Data Center & Infrastructure Security

  • Hosted on AWS cloud
  • 24/7 surveillance, biometric access, and environmental controls
  • Compliance: SOC 1/2/3, ISO 27001, FedRAMP, FIPS 140-2
  • Governed by AWS Shared Responsibility Model

Endpoint & Device Protection

  • Disk encryption on all company laptops
  • MFA for internal systems
  • Mobile Device Management (MDM) and health checks

Office & Asset Controls

  • Badge-based facility entry
  • Segmented Wi-Fi for corporate and guest
  • Secure disposal for hardware/media

Transparency & Contact

Credenti provides customers with real-time visibility into platform events, admin actions, and access logs.

To request documentation or report a concern:

📧 support@credenti.com