Security and Compliance for Regulated Financial Institutions

You are a regulated institution. Your technology vendors need to meet the same standard. Creditfern was designed from the ground up with bank-grade data handling requirements in mind.

Vendor management questionnaire available on request. We can provide a completed vendor security questionnaire suitable for your institution's IT/compliance review process. Contact [email protected] to request one.

Security controls and data handling

Data Handling & Retention

We process bank statement data transiently. Statements are analyzed and not retained longer than 90 days by default, configurable per institution policy. No raw bank account credentials are ever stored. Plaid and MX connectivity uses tokenized, read-only OAuth access only.

Encryption

AES-256 encryption at rest for all stored data. TLS 1.3 in transit for all API communications and web interfaces. Database-level field encryption for personally identifiable information and financial data. Key rotation policy with automated alerts on anomalous access.

GLBA Safeguards Rule Support

Creditfern is designed to support your GLBA Safeguards Rule obligations as a technology service provider to your institution. We can provide a vendor management questionnaire response for your IT and compliance review. We operate as a service provider under GLBA — not as a covered financial institution — and our contractual obligations are structured accordingly.

Exam Documentation Support

Every Creditfern analysis generates a documented decision narrative. If your OCC or NCUA examiner asks to review how a credit decision was made, you have the audit trail — generated automatically at the time of analysis. Creditfern output is designed to support examiner expectations for credit decision documentation, not to substitute for your institution's own credit policy.

SOC 2 Type II Audit in Progress

SOC 2 Type II audit is underway. Expected completion Q4 2026. In the interim, we can provide a completed vendor security questionnaire, architecture overview, and access to our controls documentation for institution IT review purposes.

Access Controls

Role-based access control with configurable permissions: loan officer (submit and view analyses), credit approver (view recommendations and override), administrator (manage users and institution settings). Audit log of all analysis requests with user attribution. SSO via SAML 2.0 planned for Q3 2026.

Responsible Disclosure

If you believe you have found a security vulnerability in Creditfern, please report it to us directly before public disclosure. We will respond within 48 hours and work to address confirmed vulnerabilities promptly.

[email protected]

Questions about our security controls?

Schedule a security review call with our team. We can walk through our data handling practices, access controls, and vendor questionnaire before your procurement review.

Schedule a Security Review