Get Early Access to Credible

Sign up to join our early access program. We’re rolling out new spots in batches and will reach out with your invite soon.

You’re on the list!
We’re onboarding new users in batches and will be in touch soon.
Oops! Something went wrong while submitting the form.

Security

Credible is the context engine for the AI era. The data we model—and the meaning we deliver—is some of the most sensitive information our customers own. Earning and keeping their trust is foundational to everything we build.

This page summarizes how we approach security across our product, our infrastructure, and our company.

Compliance & Certifications

SOC 2 Type I (in progress). Credible is actively undergoing a SOC 2 Type I audit covering the Security trust services criteria, with Type II to follow. Customers and prospects can request our security package—including current policies and the auditor's letter once issued—by emailing security@credibledata.com. Our current subprocessor list is published.

Privacy. We operate in alignment with GDPR and CCPA principles. Our Privacy Policy details how we collect, use, and protect personal information.

Cloud foundations. Credible runs on AWS and Google Cloud, both of which maintain SOC 2, ISO 27001, and a broad set of additional certifications for the underlying infrastructure we build on.

Product Security

Encryption. All customer data is encrypted in transit using TLS 1.2 or higher, and at rest using AES-256.

Authentication & access. Credible supports SSO via Google and Microsoft, with SAML SSO available for enterprise customers. Role-based access control governs who can read, model, and administer data inside each workspace.

Tenant isolation. Each customer workspace is logically isolated. Embedded analytics customers serving multiple end-tenants get additional row- and column-level controls to enforce isolation between their own users.

Audit logging. Administrative and data-access events are logged for review and exportable for customers on appropriate plans.

Open source foundation. Credible is built on the open-source modeling language Malloy. Models are portable and inspectable—customers retain ownership of the meaning they encode in Credible.

Operational Security

Least privilege. Internal access to production systems is limited to employees who require it for their role, requires SSO with hardware-backed multi-factor authentication, and is reviewed regularly.

Secure development. Code changes go through peer review and automated checks before merging. Dependencies are monitored for known vulnerabilities.

Vendor management. We maintain a list of subprocessors that handle customer data and review them as part of our security program.

Incident response. We maintain a documented incident response process and notify affected customers of any incident impacting their data without undue delay.

Reporting a Security Issue

We welcome reports from security researchers, customers, and the broader community. If you believe you've found a vulnerability in Credible's product or infrastructure, please email us at security@credibledata.com.

When reporting, please include:

  • A description of the issue and where you found it
  • Steps to reproduce
  • Any proof-of-concept code or screenshots
  • Your name and how you'd like to be credited (if at all)

We commit to acknowledging valid reports promptly, keeping you updated as we investigate, and not pursuing legal action against researchers who report issues in good faith and follow responsible disclosure practices. Please give us a reasonable window to remediate before any public disclosure.

Contact

For security questions, audit requests, or vulnerability reports:
security@credibledata.com

For privacy and data subject requests:
privacy@credibledata.com

Credible Data Inc.
1007 Pearl St, Ste 220
Boulder, CO 80302