Security & Compliance Program

Yes. CreditXpert tests this plan annually.

Immediate.

CreditXpert utilizes Amazon Elastic Container Services (ECS) which establish our cloud instances immediately. As such, when AWS is up, we are up. If AWS has an outage, our services will be available as soon as AWS services are available.

Yes. CreditXpert developed and maintains its IRP as required by Applicable Laws, which may include applicable US federal and state laws which may apply to CreditXpert by virtue of contracts with users or business partners, including regulated clients, such as financial institutions governed by Gramm-Leach-Bliley Act.

Elements that appear on a credit report are consumed by Platform, however, only reference information to tie the loan officer to the applicant’s plan are stored using cryptographically secure hash methods. This hash data is comprised of several values; however, this is a one-way hash and not reversable in a way that is readable by a human nor would expose the original values.

All processing and storage of data is performed under industry security best practices and validated annually for effectiveness during our SOC 2 Type 2 and ISO 27001 audit certifications.

Industry standard security controls are in place and operating effectively to SOC 2 and ISO 27001 standards. These controls and processes are evaluated annually by independent auditors.

No, your LOS is not interacted with by our SaaS.

Raw credit data is never stored. Reference information needed to connect a mortgage professional to an optimization plan (name, e-mail Ref #) is stored in AWS.

Application Data (transaction data, log data) is stored for 180 days hot/7 years cold. User data (i.e. loan originator user ID) is stored for 3 years.

CreditXpert utilizes FIPS (Federal Information Processing Standard) approved encryption algorithms which may include RSA, AES-256, SHA-256, SHA-512, and TLS 1.2 or greater. All encryption mechanisms are implemented to support a minimum of, but not limited to the industry standard, AES 256-bit encryption. Additionally, we use proprietary technologies for encrypting confidential data and follow cryptographic modules and algorithms.

Yes, data is encrypted in transit and at rest.

No.

CreditXpert’s Platform is SaaS and does not install on your systems or in your environment. Users can access Platform from an industry standard web browser.

The Plan is stored in CreditXpert’s AWS tenant. Reference information to tie the LO to the borrower’s plan is stored. The plan contains data that is either masked or obfuscated using common standards (PCI DSS) so that only the applicant can make sense of the information (last four digits of an account, first name, last initial, etc) and this not considered PII.

Yes, Admin accounts are separate from User accounts.

Yes.

Yes.

Internal and external vulnerability scanning occurs frequently. Processes to remediate findings follow a risk management process.

Yes, CreditXpert follows industry standard secure coding practices as defined in our policies and procedures.

CreditXpert uses AWS, AWS enhanced security measures, and other cloud-based security tools proven in the industry.

Our web application is hosted in a VPC on AWS, logically and physically separate from our corporate network.

Platform DB is backed up daily and kept for 7 days. Backups are stored in AWS, N VA.

CreditXpert uses predictive analytics that leverage Neural Networks (NN). No generative AI or Large Language Model (LLM) (CHAT GPT or Gemini) is used to produce Optimization Plans. Our NN is proprietary, confidential, and resides only within our product.

CreditXpert’s predictive analytics is a proprietary model used to provide information on Optimization Plans within the Platform.

No.

CreditXpert’s predictive analytics is hosted in our secure AWS (cloud) environment (Note: We do not use LLM).

Secure RESTful endpoints are used with connection to your CRA.

CreditXpert’s algorithms are trained on anonymized datasets that have been de-identified per PCI-DSS standards. (Note: The development process is proprietary and cannot be shared).

CreditXpert constantly monitors the algorithm’s accuracy and makes updates as needed (Note: The development process is proprietary and cannot be shared).

CreditXpert conducts accuracy and performance testing with each release.

CreditXpert’s algorithms use deidentified and masked data.  It does not receive demographics and does not interface with consumers.

Testing and maintenance of our algorithms follows our standard SDLC and Change Management policies that are tested annually in our SOC 2 Type 2 and ISO 27001 audit certifications.

Our algorithms fall under our SOC 2 and ISO 27001 controls and internal policies which are tested annually by independent auditors. (Note: Per our Terms of Use – both parties will conduct their business in conformity with all Applicable Laws, which may include the FCRA, GLBA, and other laws governing data privacy and protection).

Security Awareness Training is provided to all new hires and performed quarterly for all employees.

We enforce employment agreements that includes confidentiality of sensitive information.

Yes, CreditXpert does have a Vendor Management Program.