Skip to main content

Security

Infrastructure

Credyt's infrastructure is hosted in Microsoft Azure. We use virtual networks to segregate and manage access between components and the public internet. Where managed infrastructure is used, we exclusively use private endpoints.

Internal access control is governed entirely by Microsoft Entra. External access control for the Credyt dashboard is managed using Auth0. External access through the public internet is via a central reverse proxy, protected with HTTPS.

Customer data is stored in a multi-tenant environment and encrypted in transit (TLS 1.2+) and at rest (AES-256). We use separate environments for development and production, each in their own private VNet. Internal private VNets are accessed via VPN when needed. VPN access control is also governed by Microsoft Entra.

Authentication and access control

Credyt supports API key and OAuth authentication. API keys are scoped per environment with separate test and live keys.

Role-based access control (RBAC) is available within customer accounts, allowing granular permissions across team members for dashboard and API access.

All API requests are rate limited.

Data retention

Usage events, billing records, and customer data are retained for the lifetime of the customer account. This supports historical reporting, auditability, and revenue recognition requirements. Where applicable, data may also be retained to meet legal or regulatory obligations.

When a customer account is closed, all associated data is automatically deleted after a defined retention period.

Payment processing

Credyt uses Stripe Connect (Standard Accounts model) for payment processing. Under this model, your customers own their Stripe account and relationship directly. Credyt acts as the platform but does not process, store, or have access to raw payment card data.

No PCI data is held or processed by Credyt. Tokenised references such as Stripe customer IDs and masked card numbers are used within the platform for display and reconciliation purposes only.

Personal identifiable information (PII)

Credyt processes PII of direct users of the platform (our customers) as part of account management and authentication.

For end-user data (the customers of our customers), Credyt can optionally store name and email. This is not required. Customers can instead store only their own internal identifiers to link records to their systems. The choice of what PII to store in Credyt sits with the customer.

Where end-user PII is stored, Credyt acts as a data processor on behalf of the customer. The customer retains responsibility as the data controller.

API security

  • Environment separation: Test and live API keys are issued separately. Test environments are isolated from production.
  • Rate limiting: All API endpoints are rate limited to protect against abuse and ensure fair usage.
  • Audit logging: API activity is logged internally. Customer-facing audit logs are on the roadmap.
  • Idempotency: Usage event submission supports idempotency keys to prevent duplicate processing.

GDPR and data protection

Credyt is a US corporation. Where our customers or their end-users are in the EU, GDPR applies to Credyt as a data processor.

Credyt supports customers in meeting their data protection obligations:

  • Right to erasure: End-user data can be deleted on request.
  • Right to portability: Customer data can be exported.
  • Data Processing Agreement: A DPA is available on request. Contact support@credyt.ai.
  • Subprocessors: A list of subprocessors is available on request.
  • Data residency: Customer data is currently stored in a single Azure region. Region selection is not currently available.

Subprocessors

Credyt uses a limited number of third-party services that process or store customer data. A full list of subprocessors is available on request by contacting support@credyt.ai.

Incident response

In the event of a data breach, affected customers will be notified within 72 hours, in line with GDPR requirements.

If you believe you have found a security vulnerability, please report it to security@credyt.ai.

Certifications

We are currently evaluating the SOC 2 certification process. If this is a requirement for your security team, contact support@credyt.ai or speak to your account executive.