logo-img
logo
flag-icon
India
Member
User
logo
Member
User

Security

Version: 1.0

This Security Policy outlines the comprehensive data protection and cybersecurity measures adopted by Crediple operated by Crediple India Private Limited to ensure the confidentiality, integrity, and availability of user information, particularly in relation to personal identity, financial, and credit data. Crediple maintains and enforces rigorous technical and procedural safeguards to prevent unauthorized access, misuse, loss, or compromise of information.

1. Purpose And Scope

This policy applies to all users accessing the Crediple platform, including its web application, mobile application, APIs, backend systems, and third-party integrations. It covers:

  • User authentication and session security
  • Data transmission and encryption
  • System access and audit trails
  • Infrastructure and network security
  • Incident response and backup
  • Compliance with Indian regulatory frameworks

2. User Authentication And Access Controls

a. Multi-Factor Authentication (MFA)

Crediple enforces mandatory multi-factor authentication for all users and administrative access points. Users must authenticate via:

  • Primary Credential (username/email + password)
  • One-Time Password (OTP): Sent to the registered mobile number/email or generated by authenticator apps.
  • Passkey (Web Authentication): Where supported, users can register biometricenabled passkeys (FaceID/Fingerprint) on trusted devices.

b. One-Time Password (OTP) Policy

  • OTPs are randomly generated, alphanumeric codes, valid only for 3–5 minutes.
  • OTP delivery channels include SMS, email, and push notifications.
  • OTPs are encrypted and never stored in plain text.

c. Session Management

  • Sessions automatically expire after 10 minutes of inactivity.
  • Forced logouts are enforced after 24 hours or upon detection of risky login behavior (e.g., IP anomaly, device change).
  • Simultaneous logins from multiple locations are restricted or flagged.

3. PASSWORD AND PASSKEY SECURITY

  • Passwords must be at least 8 characters, include a mix of upper/lowercase letters, numbers, and symbols.
  • Passwords are hashed using bcrypt or Argon2 with salt.
  • Users are prompted to update their password every 180 days.
  • Passkeys are stored using Web Authentication-compliant frameworks and tied to device-bound public-private key pairs.
  • Biometric data (used in passkeys) never leaves the device and is never stored by Crediple.

4. DATA SECURITY AND ENCRYPTION

a. In Transit

  • All data transmission is encrypted using TLS 1.3 with Perfect Forward Secrecy (PFS).
  • HSTS (HTTP Strict Transport Security) is enabled to prevent protocol downgrade attacks.

b. At Rest

  • Sensitive user data (including credit details, uploaded documents, identification numbers) is encrypted at rest using AES-256 encryption.
  • Encryption keys are managed using Hardware Security Modules (HSMs) and KMS (Key Management Systems) with role-based access.

c. Data Segregation

  • User data is logically segregated to prevent cross-user access.
  • Backend APIs enforce user-level access controls using JWT (JSON Web Tokens) or OAuth 2.0 tokens with time-based expiry.

5. Device And Browser Security

  • Users are allowed to register a trusted device via device fingerprinting and behavioural biometrics.
  • Unrecognised devices are subject to additional OTP/passkey verification.
  • Browser fingerprinting, user agent verification, and referrer validation are used to reduce spoofing and session hijacking.

6. System & Infrastructure Security

a. Hosting Environment

  • All infrastructure is hosted on ISO 27001, SOC 2, and PCI-DSS compliant cloud platforms (e.g., AWS, Azure).
  • Servers are updated with automatic security patching and run minimum-privilege containers.

b. Firewalls and IDS/IPS

  • Web Application Firewalls (WAFs) block common web threats (OWASP Top 10).
  • Intrusion Detection and Prevention Systems (IDS/IPS) detect unauthorized access attempts or DDoS patterns.

c. Log Management & Auditing

  • All system access, login attempts, transaction history, and data updates are logged and time-stamped.
  • Logs are tamper-proof and retained for a minimum of 2 years for compliance and auditing purposes.

7. Employee & Third-Party Security Practices

  • All employees undergo background verification and sign non-disclosure agreements (NDAs).
  • Administrative access is granted strictly on a least privilege and role-based basis.
  • Regular training on data security, phishing awareness, and incident response procedures is conducted.

Vendor Management

  • Third-party tools and integrations are subject to security due diligence and data protection agreements (DPAs).
  • All vendors must adhere to ISO 27001 or equivalent security standards.

8. Backup, Recovery And Incident Response

  • Encrypted backups are taken daily and stored in geo-redundant data centers.
  • Recovery Time Objective (RTO): 4 hours; Recovery Point Objective (RPO): 1 hour.
  • A formal Incident Response Plan (IRP) is in place and regularly tested.
  • Users will be notified within 72 hours in the event of a material data breach as per Indian laws.

9. Use Responsibilities

Users are expected to:

  • Use only trusted and updated devices to access the platform.
  • Never share OTPs, passwords, or passkeys with others.
  • Immediately report any unauthorized access or suspicious behavior to: security@crediple.com

10. Compliance And Legal Framework

Crediple’s security practices are aligned with:

  • Information Technology Act, 2000
  • IT (Reasonable Security Practices) Rules, 2011
  • CICRA, 2005 and RBI Guidelines
  • ISO/IEC 27001:2013 standards (internally benchmarked)

11. Limitation Of Liability

Crediple shall not be liable for:

  • Breaches arising from user negligence or insecure personal devices.
  • Misuse of data by unauthorized third parties due to the user’s compromised credentials.
  • Events outside our control (force majeure, natural disasters, advanced persistent threats).

12. Changes To This Policy

Crediple may update this Security Policy from time to time. Material changes will be notified via platform communication and updated on this page with a revised effective date.

13. Contact Information

For security-related concerns or reports:

Information Security Officer – Crediple
security@crediple.com