Vendor Questionnaire Center

All data transmitted between clients and the CreditAxis platform is encrypted using TLS 1.2 or higher, enforced by Vercel across all routes. Data stored in the Supabase (PostgreSQL) database is encrypted at rest using AES-256 via AWS infrastructure-level encryption. We do not store unencrypted sensitive data at any layer of the application.

CreditAxis enforces role-based access control (RBAC) at the application layer. Roles are assigned per user based on institutional function (e.g., analyst, credit officer, senior credit officer, committee member, admin). Row Level Security (RLS) is enforced at the database layer via Supabase, restricting data access to the authorized organization. No cross-tenant data access is possible.

Yes. All security-relevant and administrative actions are logged in an append-only audit_events table. Events include: user login/logout, deal submission and decision actions, policy evaluations, authority binding, exception creation and approval, override requests, and administrative configuration changes. Logs capture actor identity, timestamp, action, outcome, and relevant entity metadata.

CreditAxis maintains a documented Incident Response Program with four severity levels (SEV-1 through SEV-4). SEV-1 (Critical) requires acknowledgement within 1 hour and initial customer notification within 4 hours. All incidents are tracked, documented, and subject to post-incident review. Customer notification timelines are defined by severity and contractual obligations. The IRP is reviewed annually.

No. CreditAxis does not sell, rent, or commercially share customer data with third parties. Customer data is used solely to deliver the contracted platform services. Data may be processed by disclosed subprocessors acting on CreditAxis's instructions.

CreditAxis currently uses the following subprocessors: (1) Supabase — database hosting and authentication, hosted on AWS (US-West); (2) Vercel — frontend hosting and CDN, hosted on AWS; (3) Hugging Face — AI/ML inference, used conditionally for the Intelligence module. All subprocessors are evaluated for security posture prior to use. Customers are notified of material changes per contractual terms.

Yes. CreditAxis supports customer data deletion as part of the offboarding workflow. Upon contract termination, customer data is deleted per the agreed timeline (typically 30 days from termination). Deletion events are logged and a deletion certificate can be provided upon request. Data subject to legal hold is retained only as required.

CreditAxis does not currently hold a SOC 2 certification. We have adopted NIST CSF 2.0 as our operating security framework and are conducting SOC 2 readiness activities. SOC 2 Type I is planned on our compliance roadmap. Our controls, policies, and evidence repository are structured to align with SOC 2 Trust Service Criteria. Customers can request our security packet for current state documentation.

CreditAxis leverages Supabase's automated database backup infrastructure, which provides point-in-time recovery capabilities for the primary database. The frontend application is hosted on Vercel with instant rollback capability. We maintain a Business Continuity summary that outlines our recovery approach. Formal RTO/RPO targets are being established and will be documented in the BC policy.

CreditAxis follows a documented Secure SDLC that includes: mandatory code review via pull request before merge to main, dependency tracking and vulnerability awareness, branch protection rules enforced via GitHub, CI/CD pipeline controls via Vercel, and database migration version control. No direct production access is permitted for engineering personnel outside of break-glass procedures.