Security & Trust
How CredScore protects your data, secures access to the platform, and handles compliance obligations. We update this page whenever our security posture changes.
Data handling
Wallet addresses analyzed
Stored only when you explicitly save them. Trial analyses are not persisted to the user account.
Transaction data
Fetched live from the Alchemy API at analysis time. We do not maintain a long-term cache of transaction history.
Personal information
We collect email, name (if provided to Clerk), and authentication metadata. No payment data is stored on our servers — Stripe handles all payment information directly.
Audit log
Every analysis you run is logged with timestamp, address, score, and tier. This is your audit trail for compliance reporting.
Encryption
In transit
All connections use TLS 1.2 or higher. HTTPS is enforced sitewide.
At rest
Database storage on Supabase uses AES-256 encryption at rest. Backups are encrypted.
Secrets management
API keys and credentials are stored in Vercel environment variables, never in source code or logs.
Access control
Authentication
Clerk handles user authentication with industry-standard practices: secure password hashing, email verification, optional MFA, and session management.
Authorization
Every API endpoint enforces user identity. Saved wallets, cases, and notes are scoped to your user account and cannot be accessed by other users.
Team workspaces
Organization-scoped data uses role-based access control with Owner, Admin, and Analyst roles.
Service role isolation
Database writes use a service role key isolated to server-side code. The client never receives privileged credentials.
Audit and observability
Analysis audit log
Every wallet analysis is logged per user. Exportable as CSV from your account page.
Case event timeline
Every action on a case (status change, note, wallet attachment) is logged with timestamp and user.
Score history
Every wallet analysis is recorded with timestamp, allowing you to track score drift over time.
Platform intelligence
Aggregate scoring data is collected without user attribution to improve engine accuracy. Individual user activity is never exposed in this dataset.
Compliance posture
OFAC sanctions
Weekly automated sync from the official Treasury SDN list. The engine enforces a hard cap of score 12 on any wallet matching a sanctioned address.
Data retention
User-saved data is retained while the account is active. On account deletion, all user data (saved wallets, cases, notes, audit log) is removed within 30 days.
GDPR alignment
Users can request data export and deletion at any time by emailing wade@credscore.us. We respond within 30 days.
SOC 2
SOC 2 Type II certification is on the roadmap for late 2026. We are happy to share interim documentation for enterprise prospects under NDA.
Engine integrity
Deterministic scoring
The risk engine is fully deterministic. The same inputs always produce the same outputs. There is no machine learning, no black box.
Explainability
Every signal that affects the score is shown in the breakdown with a written rationale. Every decision posture has a written explanation.
Sanctions enforcement
Self-sanctioned wallets are hard-capped at score 12 across three independent enforcement points in the scoring pipeline.
Auditability
The scoring engine is open to internal audit. Enterprise customers can review the engine logic under NDA.
Incident response
Reporting
Security issues should be reported to wade@credscore.us. We acknowledge reports within 24 hours.
Disclosure
We follow responsible disclosure. Confirmed vulnerabilities are patched before public discussion.
Status page
Service health and incident history are published at credscore.us/status.
Need more detail?
Enterprise prospects can request our full security questionnaire, architecture diagrams, and compliance documentation under NDA.
Request documentation