CreditQuant AI
info@creditquant.aiBack to app

Trust Center

CreditQuant AI is built on a security-first architecture. We protect your sensitive financial data with enterprise-grade controls at every layer of our platform.

SOC 2-Aligned Controls

Planned

CreditQuant AI is architected around the SOC 2 Trust Services Criteria — including least-privilege access, encryption at rest and in transit, and full audit logging. We plan to pursue formal SOC 2 Type II certification as we scale.

Data Encryption

Active

HTTPS / TLS 1.2+

Active

Role-Based Access

Active

Security Controls

Our security program is organized across four domains to ensure comprehensive protection.

Infrastructure Security

  • Data encrypted at rest

    All data stored using AES-256 encryption via managed database services.

  • Data encrypted in transit

    All connections secured with TLS 1.2+ — no plaintext communication permitted.

  • Cloud-native secrets management

    Credentials and API keys stored in a dedicated secrets vault, never in source code or environment files.

  • Dedicated service accounts with least-privilege IAM

    Application runtime uses scoped service accounts with only the minimum required permissions.

  • Infrastructure managed as code

    All cloud resources defined declaratively with change review and audit trail.

Data Protection

  • Row-level access policies enforce tenant isolation

    Every data table is protected by database-level access policies ensuring strict organization-level isolation.

  • Role-based access control

    Two-tier permission model (admin/member) controls what actions each user can perform within their organization.

  • File storage scoped to organization boundaries

    Uploaded documents are stored with organization-level access controls — no cross-tenant access by design.

  • Sensitive keys isolated from client access

    Administrative and service-level credentials are never exposed to browser environments.

Product Security

  • All user inputs validated on client and server

    Schema-based validation ensures data integrity at every boundary, from form submission to database insertion.

  • Protection against XSS and injection attacks

    Framework-level output encoding plus no dynamic code execution patterns in the codebase.

  • AI-generated content sanitized before rendering

    LLM outputs are validated against strict schemas and sanitized before display — preventing prompt injection artifacts.

  • Email verification required for new accounts

    All users must verify their email address before gaining full access to the platform.

  • Cookie-based sessions with CSRF protection

    Authentication tokens are stored in secure, SameSite cookies with appropriate flags enforced in production.

Organizational Security

  • Integration test suite for security scenarios

    Automated tests validate tenant isolation, access control enforcement, and authentication flows.

  • Automated deployment pipeline

    Code changes go through build verification and pre-commit checks before reaching production.

  • Code review required for all changes

    Infrastructure and application changes require review before merge, maintaining an audit trail.

Report a Security Concern

If you've discovered a vulnerability or have a security concern, please contact us directly. We take all reports seriously and will respond within 48 hours.

info@creditquant.ai