Security Policy

Version 2.1 – May 2025

Revision History:

  • Version 2.0 - October 2024 (Initial public release of combined policy)
  • Version 2.1 - May 2025 (Updated to include TLS 1.3 consideration, specific Kubernetes secret management, clarified internal penetration testing frequency, and added data retention policy mention.)

Scope

This Security Policy applies to all Credenti-managed systems, including SaaS and on-premises deployments, mobile apps, APIs, and supporting infrastructure. It governs the actions of employees, contractors, and third-party partners involved in delivering, maintaining, or supporting identity and access management services.

Policy Ownership

This policy is reviewed and updated at least annually or in response to significant architectural or regulatory changes. The Chief Information Security Officer (CISO) is responsible for the implementation, oversight, and maintenance of this policy.

Credenti delivers passwordless, phishing-resistant identity solutions backed by industry-leading security practices. Our security program is structured around Physical, Technical, and Administrative Controls to protect user identities, platform integrity, and customer data.

Technical Security Measures

Encryption & Data Protection

  • AES-256 encryption for data at rest via AWS KMS
  • TLS 1.2/1.3 with certificate pinning for data in motion
  • Per-tenant key isolation using HSM-backed KMS
  • Automated key rotation and lifecycle management

Secret Management

  • No hardcoded secrets in code or configuration
  • Secrets managed using Kubernetes controllers (e.g., External Secrets Operator) and AWS KMS
  • Secret lifecycle controls for creation, rotation, and revocation
  • Audit trails and anomaly detection via AWS CloudTrail

Platform & Application Security

  • Hosted on AWS with WAF, Shield, and Firewall Manager
  • Rate limiting and DDoS mitigation at multiple layers
  • Tenant-level logical data segregation
  • Production data and encryption keys are not accessible to internal teams

Secure Development & DevOps

  • CI/CD pipelines with SCA scans on dependencies
  • Infrastructure as code with security scanning (e.g., Amazon Inspector)
  • Hardened admin access via jump-boxes and IP whitelisting
  • Internal (quarterly) and external (annual) penetration testing

Monitoring & Observability

  • Continuous system health and performance monitoring
  • Real-time alerts for anomalies and errors
  • Comprehensive audit trails for sign-ins and admin actions
  • SIEM-compatible logging for enterprise integration

Vulnerability Management

  • Continuous scanning using Amazon Inspector and integrated CI/CD analysis
  • Timely remediation based on CVSS scores, exploitability, and business impact
  • Third-party and open-source dependencies tracked and reviewed
  • Monthly internal and annual third-party penetration testing

On-Premises Security Controls

  • All customer data remains within the customer network, ensuring data sovereignty
  • Customers retain full ownership of data and audit logs
  • Option to configure separate Kubernetes (K8s) clusters for sub-organizations or business units
  • Secure Kubernetes access best practices:
    • Authenticate from enterprise-managed devices
    • Integrate with identity providers (e.g., Entra, Okta) for SSO
    • Enforce MFA using hardware tokens (e.g., YubiKey)
    • Manage access via PAM solutions
    • Require hardened jump servers or bastion hosts
    • Rotate SSH credentials (automated via certificate-based access) and log all access attempts

Administrative Security Measures

Compliance & Governance

  • SOC 2 Type II, SOC 1 Type II
  • GDPR, PCI DSS, CFR Part 11
  • ISO 27001 certified
  • Designed for HIPAA, GDPR, and NIST SP 800-63 alignment
  • Regional hosting options for data residency

Policies & Access Control

  • Role-based access controls (RBAC)
  • Secure Software Development Lifecycle (SSDLC)
  • Change management and quarterly access reviews

Security Awareness & Training

  • Required training for all employees
  • Role-based access enforcement
  • Regular phishing simulations
  • Background checks performed for employees in sensitive roles

Incident Response

  • 24/7 security operations
  • Documented and tested Incident Response Plan (IRP)
  • SLAs for detection, response, and communication

Service Continuity & Disaster Recovery

  • Multi-region, multi-AZ AWS infrastructure
  • DR Plan with defined RTO/RPO
  • Encrypted backups and failover testing
  • DR validated by SOC 2 and ISO audits

Audits & Corrective Actions

  • Audit logs for authentication and admin events
  • Full traceability of system changes
  • Internal audits with corrective action
  • SIEM integration and audit support
  • Defined data retention policies for customer data and audit logs

Vendor Risk Management

  • Security due diligence and compliance for all vendors
  • Data Protection Agreements (DPAs)
  • Quarterly vendor access reviews
  • AWS compliance with FedRAMP, ISO 27001, SOC 2

Physical Security Measures

Data Center & Infrastructure Security

  • Hosted on AWS cloud
  • 24/7 surveillance, biometric access, and environmental controls
  • Compliance: SOC 1/2/3, ISO 27001, FedRAMP, FIPS 140-2
  • Governed by AWS Shared Responsibility Model

Endpoint & Device Protection

  • Disk encryption on all company laptops
  • MFA for internal systems
  • Mobile Device Management (MDM) and health checks

Office & Asset Controls

  • Badge-based facility entry
  • Segmented Wi-Fi for corporate and guest
  • Secure disposal for hardware/media

Transparency & Contact

Credenti provides customers with real-time visibility into platform events, admin actions, and access logs.

To request documentation or report a concern:

📧 support@credenti.com