Security Practices

Security is a continuous practice rather than a fixed state. The controls described below reflect what is in place today across the Credminds website, our operational tooling, and the data we Process on behalf of clients and prospective clients. Where a control is provider-managed, we explicitly say so; where it is operated directly by Credminds, we describe the implementation honestly.

The credminds.com website is hosted with established cloud providers operating under recognised regional and international compliance regimes. All traffic to and from the Site is served over HTTPS using TLS 1.2 or higher. Plaintext HTTP requests are automatically redirected to HTTPS at the edge.

Production secrets (API keys, database connection strings, SMTP credentials) are stored in provider-managed secret stores and are never committed to source control. Backend services are not directly exposed to the public network beyond the documented HTTPS endpoints used by the Site.

3.1 In Transit

All Personal Data is encrypted in transit using TLS 1.2 or higher between your browser and the Site, and between the Site and our backend services and subprocessors.

3.2 At Rest

Personal Data stored in our managed database and other persistence layers is encrypted at rest using the encryption capabilities of the underlying infrastructure providers.

Access to systems that Process Personal Data is governed by role-based access control and the principle of least privilege. Specifically:

• Internal team accounts are protected by single sign-on with two-factor authentication enforced;
• Production access is granted on a need-to-know basis and is reviewed periodically;
• Departing team members have access revoked as part of a documented offboarding procedure.

Administrative actions on production systems are logged. Logs are retained per provider defaults and are reviewed in response to abnormal activity, security alerts, or incident triage. We do not log Personal Data submitted through forms beyond what is necessary to operate the Site (for example, IP address for rate limiting and abuse prevention, as described in our Privacy Policy).

The Credminds website is engineered with the following defensive controls:

• Input is validated on every public endpoint before any Processing or storage takes place;
• IP-based rate limiting is enforced on the contact endpoint to deter automated abuse and credential-stuffing-style attacks;
• The contact form includes a hidden honeypot field that filters out the majority of bot-submitted enquiries before they reach our database or notification pipeline;
• The codebase is written in TypeScript with static type checking enabled, reducing the surface for entire classes of runtime errors;
• Third-party dependencies are kept up to date and reviewed for known vulnerabilities before being introduced;
• User-supplied content is escaped before being included in HTML output, including in notification emails generated from contact-form Submissions.

Credminds operates on the principle of data minimisation: we collect only what is needed to respond to enquiries and to deliver our services. Specifically:

• We do not use customer Personal Data to train third-party machine learning models;
• We do not sell Personal Data, and we do not share it for cross-context behavioural advertising;
• Retention periods are described in our Privacy Policy and enforced operationally through scheduled purges.

We select vendors and subprocessors based on their security posture, contractual commitments, and the operational fit for the workload they support. Material subprocessors (those that Process Personal Data on our behalf) are enumerated in Privacy Policy § 7. Where required by applicable law, we have in place written agreements with subprocessors that include appropriate confidentiality and data-protection obligations.

We welcome reports of security vulnerabilities in the Credminds website and our publicly accessible services. If you believe you have found a vulnerability, please report it to info@credminds.com. When you report a vulnerability:

• We commit to acknowledging receipt within two (2) business days, and to keeping you informed as we investigate and remediate;
• We will not pursue legal action against good-faith security researchers who: (a) make a good-faith effort to avoid privacy violations, data destruction, and service interruption; (b) only interact with accounts they own or have explicit permission to access; and (c) give us a reasonable opportunity to remediate before public disclosure.

We do not currently operate a paid bug-bounty programme. Reports are nonetheless valued and acknowledged, and material findings will be credited to the reporter where they consent.

Credminds maintains a defined incident-response process covering identification, containment, eradication, recovery, and lessons-learned phases. Where an incident is likely to result in a risk to the rights and freedoms of natural persons (or otherwise triggers a notification obligation under applicable law), we notify affected users and the relevant supervisory authorities within the timeframes prescribed by law (for example, 72 hours under the GDPR).

For general questions about our security practices and for vulnerability reports, contact info@credminds.com.