Pilot Boundaries
—Standalone pilot. No integration with core banking systems required for pilot participation.
—Synthetic or redacted data recommended. Live data handling is governed by the DPA. Redacted or synthetic data is strongly recommended for initial pilot phase.
—No autonomous credit decisioning. CreditAxis enforces governance and traceability. Final credit decisions remain with designated human reviewers at all times.
—All AI outputs require human review. AI-assisted drafts are presented for human review. No AI output is committed to a deal record without explicit user action.
—Structured offboarding. Pilot concludes with formal data deletion and optional deletion certificate. No data retained beyond agreed deletion date.
Evidence Status
AvailableAvailable under NDAIn ProgressScheduledNot Yet Published
Available under NDA — furnished to qualified reviewers under an executed mutual NDA. Request access using the button in the header. Scheduled — not yet available; status is reported accurately.
Encryption in transit
TLS 1.2 or higher at all service boundaries
Encryption at rest
AES-256 via Supabase infrastructure
RBAC
Enforced at application layer (org_role_permissions)
Row-level security
Enforced at database layer on all customer data tables
Incident notification
Within 72 hours for confirmed incidents
AI human review
Required. No autonomous decisioning.
2 artifacts are publicly available without NDA. Pilot Recovery Profile, Subprocessor Inventory.
1
Architecture and Data Handling
System Architecture Diagram
v2.1
High-level system architecture illustrating component boundaries, service dependencies, and data flow zones.
Owner Engineering
Reviewed Jan 2026
Next review Jul 2026
Available to qualified reviewers under executed NDA. Request access below.
Illustrates how customer data enters, traverses, and exits the system, including subprocessor touchpoints.
Owner Engineering
Reviewed Jan 2026
Next review Jul 2026
Available to qualified reviewers under executed NDA. Request access below.
2
Access Control and Tenant Isolation
Tenant Isolation and Authorization Model
v1.2
Documents the multi-tenant isolation model, including how organization-level boundaries are enforced at the data layer.
Owner Engineering
Reviewed Feb 2026
Next review Aug 2026
Available to qualified reviewers under executed NDA. Request access below.
RBAC and Row-Level Security Evidence Summary
v1.1
Summary of role-based access controls and row-level security implementation across the platform.
Owner Engineering
Reviewed Feb 2026
Next review Aug 2026
Available to qualified reviewers under executed NDA. Request access below.
Privileged Access Review Cadence
v1.0
Administrative and privileged access is reviewed on a defined schedule with documented outcomes.
Owner Operations
Reviewed Feb 2026
Next review Aug 2026
Available to qualified reviewers under executed NDA. Request access below.
3
Audit and Logging
Audit Log Sample and Retention Summary
v1.1
CreditAxis maintains an immutable, append-only audit log for all governance events. Retention policy is documented and enforced.
Owner Engineering
Reviewed Jan 2026
Next review Jul 2026
Available to qualified reviewers under executed NDA. Request access below.
4
Vulnerability and Incident Management
Vulnerability Management Policy
v1.0
Formal policy governing identification, classification, remediation, and verification of security vulnerabilities.
Owner Security
Reviewed Jan 2026
Next review Jul 2026
Available to qualified reviewers under executed NDA. Request access below.
Latest Dependency and SAST Scan Excerpt
Automated dependency and static analysis scans run on each release. Latest scan summary available under NDA.
Owner Security
Reviewed Apr 2026
Next review Jul 2026
In progress — interim summary available under NDA.
Incident Response Plan
v1.1
Formal incident response plan covering detection, triage, containment, notification, recovery, and post-incident review.
Owner Security
Reviewed Jan 2026
Next review Jul 2026
Available to qualified reviewers under executed NDA. Request access below.
A third-party application penetration test is scheduled for Q3 2026. No completed external penetration test artifact exists at this time. This status is reported accurately.
Owner Security
Next review Sep 2026
Scheduled — not yet available. Target date will be published when confirmed.
5
Resilience and Recovery
Backup and Restore Procedure
v1.0
Backup procedures are defined and automated. Point-in-time recovery is available through the infrastructure provider.
Owner Operations
Reviewed Jan 2026
Next review Jul 2026
Available to qualified reviewers under executed NDA. Request access below.
Latest Restore Test Summary
Restore testing is part of the recovery program. Restore test results will be published under NDA when available. Testing scheduled for Q3 2026.
Owner Operations
Next review Sep 2026
Pilot Recovery Profile
v1.0
Documents the recovery objectives and backup posture applicable to the controlled pilot environment. RTO: 24 hours. RPO: 4 hours.
Owner Operations
Reviewed Feb 2026
Next review Aug 2026
Secure Release and Change Management Standard
v1.0
All production changes follow a documented change management process with approval gates and rollback readiness.
Owner Engineering
Reviewed Jan 2026
Next review Jul 2026
Available to qualified reviewers under executed NDA. Request access below.
6
Subprocessors and Data Processing
Subprocessor Inventory
v1.2
Current list of third-party subprocessors: Supabase (database/auth), Vercel (hosting/CDN), Hugging Face (AI inference — conditional).
Owner Operations
Reviewed Feb 2026
Next review Aug 2026
7
AI Governance and Validation
AI Governance Standard
v1.1
Governs the use of AI models within CreditAxis, including approved lanes, prohibited uses, human review requirements, and rollback procedures.
Owner Product / Engineering
Reviewed Feb 2026
Next review Aug 2026
Available to qualified reviewers under executed NDA. Request access below.
Model Inventory Summary
v1.0
Summary of AI models in use, their approved lanes, provider, and governance status.
Owner Engineering
Reviewed Feb 2026
Next review Aug 2026
Available to qualified reviewers under executed NDA. Request access below.
Model Validation Summary
v1.0
All active AI models have passed defined validation checks including prompt review, schema validation, and human-approval gating.
Owner Engineering
Reviewed Feb 2026
Next review Aug 2026
Available to qualified reviewers under executed NDA. Request access below.
Subprocessor Detail
Last reviewed: February 2026. This list is consistent with the DPA and model governance disclosure.
| Subprocessor | Category | Data Processed | Region | Certification |
|---|
Supabase | Database and Authentication | Customer deal data, user identity, audit logs, governance records | AWS US-West-2 (Oregon) | SOC 2 Type II |
Vercel | Frontend Hosting and CDN | Session metadata, application traffic | Global CDN / AWS | SOC 2 Type II |
Hugging Face Conditional | AI/ML Inference | Deal narrative inputs (no PII, no full borrower records) | US / AWS | Conditional engagement |
Hugging Face is engaged only when the Intelligence module is active for a customer. Input data consists of deal narrative context — no PII or full borrower records are transmitted.
Access NDA Materials
16 artifacts available under NDA
Architecture diagrams, access control evidence, audit log samples, vulnerability records, incident response plan, AI governance standard, and model validation records. Submit a request and we will respond within 2 business days.
