Security & trust

AgentCredit handles commercial credit data. Here's exactly what's in place and what's not. No marketing fluff — a plain-English list your IT / data-protection officer can review.

Encryption

  • All traffic encrypted in transit via TLS 1.3 (Let's Encrypt certificates).
  • Passwords hashed with PBKDF2-SHA256 (100,000 iterations, per-user salt).
  • API secrets rotated at deploy; never logged.
  • Database-at-rest encryption: AWS EBS volume encryption enabled.

Access control & auditing

  • Row-level ownership: non-admin users only see assessments they created.
  • Admin-only amend & soft-delete, with mandatory free-text reason and immutable audit log entry.
  • All sensitive actions (score, amend, delete, report generation) written to an append-only audit log.
  • Internal API requires a shared secret — the public surface cannot hit the scoring engine directly.

Data handling

  • Customer-uploaded financial data is stored only in your tenant's rows, never pooled with training data.
  • Training data sources are public: UK Companies House, SEC EDGAR, The Gazette insolvency notices, UCI Polish bankruptcy dataset.
  • We do not sell, resell, or share your assessment inputs with third parties.
  • AI report generation uses Anthropic's Claude API — disclosed in the privacy policy. Anthropic does not train on our API traffic.

Hosting & residency

  • Primary hosting: AWS London (eu-west-2) region.
  • No data transferred outside the UK/EU for production users.
  • Backups: daily encrypted snapshots retained for 30 days.

Operational practices

  • Nginx rate limiting: 10 req/s general, 5 req/s API, 2 req/s uploads (per IP).
  • Security headers enabled: HSTS, X-Content-Type-Options, X-Frame-Options, Referrer-Policy.
  • Prompt-injection defence on all AI-consuming endpoints (12 pattern filters, input length cap).
  • Dependency scanning via GitHub Dependabot.

Honest limitations (not done yet)

    We're a small team. Here's what we haven't done yet and when we plan to:

    • SOC 2 Type I — scoped for when we cross £10K MRR. Available on request for enterprise customers under NDA.
    • ISO 27001 — not in current roadmap; we use SOC 2 as the equivalent trust artefact.
    • Penetration testing — manual security review done; external pentest scheduled Q3.
    • SSO / SAML — planned for Growth tier in Q3.

Your data protection rights (UK GDPR)

  • Request a copy of all data we hold about you — email [email protected].
  • Request deletion of your account and all associated data.
  • Object to processing, or restrict it, at any time.
  • Data Processing Agreement (DPA) available on request for B2B customers.