Your Data. Your Borrowers. Your Examination.
OCC- and FDIC-supervised institutions are required to conduct third-party vendor risk reviews before onboarding any service provider that accesses consumer financial data. CredVynt maintains a complete vendor due diligence package — security controls, model documentation, GLBA data processing agreement, and ECOA compliance framework — prepared for community bank and credit union procurement teams.
CredVynt does not guarantee that your institution's use of our platform will satisfy every examiner's requirements. Compliance determinations remain with your institution and its qualified counsel and examiners.
Request Security Details
Security Controls Overview
These controls are operational today. CredVynt is actively working toward SOC 2 Type II certification — our controls framework is built to the AICPA Trust Services Criteria, and we anticipate beginning a formal audit engagement in 2026. We do not currently hold SOC 2 Type II certification. A detailed security controls questionnaire is available to lender clients upon request.
Encryption in Transit & at Rest
All data transmitted to and from CredVynt uses TLS 1.3. Data stored in our systems is encrypted using AES-256. Encryption keys are managed using an industry-standard key management service with rotation policies.
Access Control & Authentication
Multi-factor authentication is required for all CredVynt staff accessing production systems. Role-based access control (RBAC) limits data access to need-to-know basis. All access events are logged and monitored.
Applicant Consent Architecture
No applicant data is accessed without explicit, recorded consent. The consent flow is embedded in the lender's existing application process. Consent records are logged with timestamp, applicant identifier, and scope of authorization.
Data Minimization & Retention
CredVynt collects only the data fields necessary to generate the credit decision. Raw applicant financial data is retained for the regulatory minimum period and then purged. We do not sell or share applicant data with third parties beyond the scope of the decision.
Regulatory Alignment Built Into the Product
CredVynt monitors regulatory guidance from the CFPB, OCC, FDIC, and NCUA on alternative data, model risk, and fair lending as part of our product development process. The compliance controls below are designed to reflect current guidance — including the CFPB's Request for Information on use of alternative data and OCC Bulletin 2011-12 on model risk management.
ECOA / Regulation B — Adverse Action Framework
CredVynt's decisioning models are designed with ECOA and Regulation B compliance as explicit requirements. Decision factors are limited to ECOA-permissible credit criteria. We do not use protected-class proxies or attributes that have been identified as facially neutral but disparately impactful without documented business necessity. Reg B–formatted adverse action reason codes are generated automatically for every non-approval decision. CredVynt does not issue adverse action notices on behalf of lenders — that legal obligation remains with the creditor institution.
GLBA Safeguards Rule — Service Provider Obligations
CredVynt operates as a service provider under the Gramm-Leach-Bliley Act. We execute a Data Processing Agreement (DPA) with each lender client that establishes permissible uses of applicant financial data, your institution's audit and inspection rights, CredVynt's data security obligations, and breach notification timelines — consistent with the FTC's updated GLBA Safeguards Rule requirements that apply to financial institutions and their service providers.
Applicant Consent-First Design
Every data pull is gated by applicant authorization. The consent flow is designed to meet the disclosure and authorization standards expected by banking examiners. Applicants can revoke consent at any time, and revocations are processed within 48 hours with full data deletion.
Model Risk Management — SR 11-7 Documentation
CredVynt's decisioning models are documented in a format aligned with the Federal Reserve's SR 11-7 supervisory guidance and OCC Bulletin 2011-12. Documentation includes model purpose and scope, input data definitions, decision logic, performance testing methodology, and ongoing monitoring procedures. This documentation is provided to lender clients to support their independent model validation obligations. CredVynt does not conduct model validation on behalf of lender institutions — that is a separate regulatory obligation that must be performed by your institution or a qualified third-party validator.
Questions from Procurement Teams
Raw applicant financial data (bank transaction records, payroll records) is retained for 36 months from the date of the decision to support audit and regulatory inquiry, then purged. Decision outputs and metadata are retained for 7 years consistent with credit record requirements. Specific retention terms are codified in the Data Processing Agreement executed with each lender client.
CredVynt uses a small number of subprocessors for cloud infrastructure (hosting and storage), payroll data connectivity (direct payroll provider APIs), and bank transaction data access (open banking connectivity). A current subprocessor list is available to lender clients under NDA as part of our vendor due diligence package. Contact us at [email protected] to request it.
CredVynt maintains an incident response plan with defined escalation procedures, containment steps, and notification timelines. In the event of a breach affecting lender client data, we will notify affected lenders within 72 hours of discovery, consistent with applicable law and our Data Processing Agreement. Our incident response runbook is available to lender clients as part of vendor due diligence.
CredVynt's operations and data infrastructure are based in the United States. We do not currently process applicant data outside the US. Applicant data is never transferred to foreign subprocessors. For institutions with member or customer bases that may include international individuals, we are happy to discuss applicable considerations on a case-by-case basis.
Yes. CredVynt was founded in 2025 and is actively building toward SOC 2 Type II certification. Our controls are designed with SOC 2 Trust Services Criteria as the framework. We expect to begin our formal SOC 2 audit engagement in 2026. In the meantime, we provide a detailed security controls questionnaire for procurement teams upon request.
Need our vendor security questionnaire, Data Processing Agreement, or model documentation package?
Request Security Documents