/ our security

Security, for a security company.

Your data, our infrastructure, our engagements. Here's how we handle every layer, and how you can report issues back to us.

Compliance status

SOC 2 Type II In progress
ISO 27001 In progress
GDPR Compliant
HIPAA Not pursued

We'll update this page as statuses change. If you need current attestation documentation or SOC 2 reports under NDA, email [email protected].

How we handle your data

Engagement data

Data captured during an engagement (discovered endpoints, findings, reviewer notes, reports) is stored encrypted at rest and in transit. We do not train models on customer data. Your engagement's output feeds your engagement's report, nothing else.

Access control

Only the senior reviewer assigned to your engagement and our infrastructure team has access to your data. All access is logged and auditable. We use SSO with hardware-key-backed MFA for internal access.

Data retention

Engagement data is retained for the duration of the engagement plus 12 months for reference and retest. After that, it's purged on request or on schedule. Report PDFs you've exported are yours forever. We don't expire the files we delivered to you.

Our infrastructure

CredShields One runs on hardened cloud infrastructure with network isolation between customer tenants. Production deployments go through peer review and automated security checks. We run the same kind of continuous pentest on ourselves that we run on customers.

Responsible disclosure

If you believe you've found a vulnerability in CredShields One or our website, we want to hear about it.

How to report

Email [email protected] with:

  • A clear description of the issue
  • Steps to reproduce
  • Any supporting scripts or screenshots

What we commit to

We'll acknowledge your report within 2 business days, triage within 5 business days, and update you at least weekly until resolution. We don't pursue legal action against researchers acting in good faith under this policy.

What's out of scope

Social engineering of staff, physical attacks on our offices, denial-of-service testing, and automated scanner output without reproduction are outside the scope of this policy. Please don't.

PGP key for sensitive reports

For sensitive disclosures, use our PGP key with fingerprint REPLACE_WITH_REAL_FINGERPRINT. The full public key is at /pgp-public.asc.