We have always placed your security first on CRED. To ensure maximum security, we have made a simple list of security to-do's you can follow:
We do not sell your personal information to or share it with unaffiliated third parties for their own advertising or marketing purposes without your explicit consent
Check out our Privacy Policy for more information
CRED is hosted on a Virtual Private Cloud on Amazon Web Services which provides a secure and scalable technology platform to ensure we can provide you services securely and reliably.
We have deployed Defence in Depth Architecture using a network firewall, web application firewall, DDoS protection layer, and a content delivery network.
Our infrastructure is launched in compliance with the AWS Well Architected Framework and from the security perspective incorporating practices from the AWS Cloud Adoption Framework
We have a 3-Tier Architecture which incorporates best practices from various standards and certifications
We have strict network segmentation and isolation of environments and services in place.
We use industry leading solutions around anti-virus, anti-malware, intrusion prevention systems, intrusion detection systems, file integrity monitoring, application control, application and audit log aggregation, and automated patching
All our servers are launched using the Center for Internet Security Benchmarks for Amazon Linux.
We employ separation of environments and segregation of duties and have strict role-based access control on a documented, authorized, need-to-use basis
We use key management services to limit access to data except the data team
Stored data is protected by encryption at rest and sensitive data by application level encryption
We use data replication for data resiliency, snapshotting for data durability and backup/restore testing for data reliability.
We have deployed mature processes around Change Management which enables us to release thoroughly tested features for you both reliably and securely enabling you to enjoy the CRED experience with maximum assurance
We have a very aggressive stance on Incident Management on both Systems downtime and Security and have a Network Operations Center and an Information Security Management System in place which quickly reacts, remediates or escalates any Incidents arising out of planned or unplanned changes.
We have an inhouse network security team which uses industry leading products to conduct manual and automated VA/PT activities
We employ both static application security testing and dynamic application security testing which is incorporated into our continuous integration / continuous deployment pipeline
We also leverage CERT-IN certified auditors to do periodic external security testing and audits.
We are committed to maintaining the highest standards of information security, data privacy, and regulatory compliance. As part of this commitment, we have achieved the following certifications and implemented robust, industry-aligned controls:
PCI DSS v4.0.1 (Level 1) Certified - We are a Level 1 PCI DSS v4.0.1 certified organization, demonstrating our adherence to stringent security requirements defined by the PCI Security Standards Council. This ensures secure handling of cardholder data across all payment processing environments.
UPI Compliance – NPCI Circulars 15B & 32 - We have successfully completed UPI compliance in line with NPCI Circulars 15B and 32. Our systems are periodically audited by CERT-In empanelled assessors to ensure adherence to NPCI’s UPI operational and security mandates.
RBI Tokenisation Compliance - We fully comply with the Reserve Bank of India’s tokenisation guidelines for both card-on-file and device-based tokenisation. Our systems enable secure generation, storage, and lifecycle management of tokens, protecting sensitive cardholder data during digital transactions.
ISO/IEC 27001:2022 Certified - Our ISO/IEC 27001:2022 certification confirms the implementation of a comprehensive Information Security Management System (ISMS), enabling structured risk management and the protection of critical information assets.
ISO/IEC 27701:2019 Certified - We are ISO/IEC 27701:2019 certified for our Privacy Information Management System (PIMS), extending our ISMS framework to address data privacy requirements and ensuring responsible handling of Personally Identifiable Information (PII).
Data Localisation Compliance – RBI Guidelines - In accordance with the Reserve Bank of India’s data localisation mandates, all customer data is securely hosted within India. We operate entirely from cloud infrastructure located in AWS’s Mumbai and Hyderabad regions, ensuring full compliance with geographic data residency norms.
CICRA & Credit Information Regulations Compliance - We adhere to the Credit Information Companies (Regulation) Act, 2005, specifically complying with Sections 19, 20, and 22, as well as the Credit Information Companies Rules, 2006, including Rules 18(b), 23, 28, and 29. These provisions govern the secure collection, processing, usage, and disclosure of credit-related information. Our policies, procedures, and systems are designed to ensure responsible handling of credit data in accordance with regulatory expectations set by the RBI and integrated Credit Information Companies.
All compliance/audit statuses will be updated in this section in this policy.
We at CRED are committed about our customer's data and privacy
We blend security at multiple steps within our products with state of the art technology to ensure our systems maintain strong security measures
The overall data and privacy security design allows us defend our systems ranging from low hanging issue up to sophisticated attacks
If you are a security enthusiast or a researcher and you have found a possible security vulnerability on CRED products, we encourage you to report the issue to us responsibly
You could submit a bug report to us at security@cred.club with detailed steps required to reproduce the vulnerability
We shall put best of our efforts to investigate and fix the legitimate issues in a reasonable time frame, meanwhile, requesting you not to publicly disclose it.