Vendor Risk Overview
Product boundary, deployment model, subprocessors, and diligence materials — implemented and current.
Product Boundary
CreditAxis does not make credit decisions. CreditAxis enforces governance, workflow control, traceability, and audit reconstruction. Final credit decisions remain under bank authority and require explicit human approval.
CreditAxis is structured to align with how credit decisions are reviewed, challenged, and reconstructed during internal review, audit, and regulatory examination.
Deployment Model
CreditAxis is delivered as a cloud-based application with institution-specific tenant boundaries, authenticated access, and role-based permissions. The platform is multi-tenant with data isolation enforced at both the application layer (RBAC) and the database layer (RLS).
There is no on-premises deployment for the pilot phase.
Pilot Boundaries
- Standalone pilot — No integration with core banking systems is required for pilot participation.
- Synthetic or redacted data recommended — Live data handling is governed by the DPA.
- No autonomous credit decisioning — Final approvals remain with designated human reviewers.
- All AI outputs require human review — No AI output is committed to a deal record without explicit user action.
- Structured offboarding — Data deletion at pilot conclusion with optional deletion certificate.
Subprocessors
CreditAxis engages three third-party subprocessors. This list is current and reconciled with the DPA and model governance disclosures.
| Subprocessor | Role | Data Processed | Certification |
|---|---|---|---|
| Supabase | Database and Authentication | Customer data, audit logs, governance records | SOC 2 Type II |
| Vercel | Frontend Hosting and CDN | Session metadata, application traffic | SOC 2 Type II |
| Hugging Face | AI/ML Inference (conditional) | Deal narrative inputs (no PII) | Conditional engagement |
_Hugging Face is engaged only when the Intelligence module is active. Full subprocessor inventory with geographic scope and DPA references: subprocessor-inventory (available)._
Security Summary
- Encryption in transit: TLS 1.2 or higher at all service boundaries
- Encryption at rest: AES-256 via Supabase infrastructure
- Access controls: RBAC at application layer, RLS at database layer
- Audit logging: Immutable append-only log for all governance events
- Incident notification: 72 hours for confirmed incidents affecting Customer Data
Full security controls are documented in the Security Controls page and available under NDA in the Vendor Review Room.
Data Handling
Customer data is not used to train generalized AI models except as expressly permitted by written contract. Pilot data access is restricted to designated pilot users. AI inference inputs consist of deal narrative context — no PII or full borrower records are transmitted to the AI inference provider.
Due Diligence Materials
Public: - Vendor Risk Overview (this page) - Architecture and Tenant Isolation summary - Security Controls summary - Resilience and Recovery summary - Model Governance summary - Legal and Commercial summary - Subprocessor inventory - Pilot recovery profile
Available under NDA (request access at /trust/request-access): - Architecture diagrams (C4 level) - Data flow diagrams with data classification - Tenant isolation and authorization model detail - RBAC and RLS evidence summary - Audit log samples - Vulnerability management policy - Latest scan excerpt - Incident response plan - Backup and restore procedures - Secure release and change management standard - AI governance standard - Model inventory and validation records
Scheduled (not yet available): - Third-party penetration test report (Q3 2026) - Restore test summary (Q3 2026) - SOC 2 Type I (2027)