Security & Compliance

Security Controls

Kredete applies defence-in-depth controls across the stack:

  • Network. Segmented VPCs, private subnets for data workloads, WAF on all public endpoints, DDoS protection at the edge, and restrictive security groups.
  • Platform. Hardened container base images, automated vulnerability scanning, least-privilege IAM roles, and short-lived credentials via an identity federation provider.
  • Application. Input validation, output encoding, CSRF and XSS protection on web surfaces, authenticated and authorised APIs with fine-grained scopes, and SAST/DAST in CI.
  • Data. Encryption at rest and in transit, key management via a managed KMS, and tokenisation for regulated card data.
  • Access. Single sign-on with mandatory MFA for staff, role-based access control, just-in-time elevated access, and full audit logging.
  • Secrets. All credentials are stored in a managed secrets manager; no secrets are persisted in source control or container images.

User-Facing Security Features

From the user's perspective, the platform provides:

  • Face authentication for login and sensitive actions.
  • Security question fallback for account recovery.
  • Device management, with visibility into all active sessions and the ability to revoke them.
  • Geolocation-based anomaly detection.
  • Behavioural transaction flagging for unusual patterns, triggering step-up verification.
  • Backend user risk classification that tunes limits and review workflows to the user's risk profile.

Regulatory Compliance

Kredete is a financial technology company; regulated financial services are delivered through licensed partner institutions in each jurisdiction. Across the footprint, the platform is designed to support obligations including:

  • Money transmission licensing (via US partner institutions and equivalent partners in other jurisdictions).
  • AML/CFT obligations, including KYC, ongoing monitoring, sanctions screening, and suspicious activity reporting.
  • Consumer data protection regulations applicable in each market (including GDPR in the EU/UK and NDPA in Nigeria).
  • Fair Credit Reporting Act (FCRA) obligations for US credit-building and reporting products.

Logging, Monitoring & Incident Response

  • All services emit structured application logs, metrics, and distributed traces to a central observability platform.
  • Security-relevant events are forwarded to a dedicated SIEM for correlation and alerting.
  • On-call engineers monitor platform health 24/7 with tiered escalation.
  • An incident response plan defines severity classification, roles, internal and external communication, and regulatory notification procedures.
  • Post-incident reviews are conducted for every Sev-1 and Sev-2 incident, with remediation actions tracked to closure.
← Previous: Hosting, Network & Deployment Next: Operations →