About Us
Who We Serve
Product
News & InsightsEvents
Talk to Our Team
About UsOur PeopleLife At CredLensWho We ServeProductHow it WorksPrivacy & SecurityNews & InsightsEvents
Talk to Our Team
product
/
privacy & security

Built with security.
Designed for trust.

CredLens operates as a national data trust and is built on a foundation of privacy and security. That means your data and your credential holders' data is something you entrust to us, not something we own — and we treat that responsibility with the care it deserves. That principle shapes every technical and organizational decision we make.

Request a Demo
certifications & Compliance

Independently verified.
Continuously audited.

CredLens has achieved the following independent security assessments and certifications:
SOC 2 Type II
Independently audited controls for security, availability, and confidentiality — verified over a sustained period, not just at a point in time. Available to prospective clients on request under NDA.
SOC 3
The publicly shareable version of our SOC 2 Type II report. Confirms our controls meet the AICPA Trust Services Criteria, and is available for review by any stakeholder on request.
ISO 27001:2022
International standard for information security management systems (ISMS). Covers risk management, access controls, incident response, and continuous improvement.
ISO 27018:2019
Extension of ISO 27001 specific to protecting personally identifiable information (PII) in cloud environments — particularly relevant for credential holder data.
TX-RAMP Level 2
Texas Risk and Authorization Management Program certification for cloud services used by Texas state agencies. Reflects readiness to serve state government and state-affiliated partners.
PII flow review
The CredLens Insights Platform is regularly tested through an independent review that assesses how PII flows through the platform — what data is collected, how it's processed, where it's stored, and how privacy risk is identified and bounded. These controls ensure alignment with U.S. state privacy law and public-sector data trust standards.
technical safeguards

Protected at every step —
in transit, at rest, and in the matching process.

Encryption at rest

All data stored in the CredLens environment is encrypted using AES-256, with keys managed through AWS KMS and automated key rotation enabled.

Encryption in transit

All data transmitted to and from the platform is protected using TLS 1.3.

Access controls & authentication

Role-based access controls, least-privilege IAM, zero-trust context-aware enforcement, and mandatory MFA. Users only see insights for credentials their own organization submitted; cross-organization visibility requires a formal data-sharing agreement.

Audit logging

All platform access, data queries, and actions are logged and available for review.

Penetration testing

Annual third-party penetration testing combining automated and manual techniques — black-box testing plus code-assisted review, for both an external-attacker perspective and deeper internal analysis.

Network security & monitoring

Access enforced through AWS security groups and IAM roles, with AWS WAF guarding against common web attacks. Continuous threat detection and audit logging via Amazon GuardDuty and AWS CloudTrail.
Data governance

A trusted steward.

CredLens is governed as a national data trust. We act as a processor, handling data solely on behalf of the organizations that share it with us.

We never sell or license customer data under any circumstances. Data is only transferred, shared, or published as directed by the organization that owns it.
You own your data.
CredLens holds it on your behalf for the purpose of generating outcomes insights — nothing else.
Your data is yours alone.
It is not shared with other clients, used for benchmarking without your consent, or visible to anyone outside your designated users.
Our data partners operate under strict agreements.
Records are shared for matching and enrichment only, governed by formal data use agreements and explicitly pre-defined allowed use cases.
Your data goes with you.
Should you stop working with us, your data is deleted in accordance with our data retention policy.
Credential holder privacy

The learners behind the data
are protected by design.

CredLens is committed to protecting the privacy of the individuals whose records credential issuers submit to the platform.

Used solely for outcomes matching

Credential holder records are never used for marketing, profiling, or any purpose outside the CredLens data workflow.

Aggregate outputs only

All platform outputs are reported at an aggregate level. No individual-level data is ever surfaced, except in specific caes apporved by your organization under the Data Contributor and Use Agreement.

Clear data governance

Role-based access controls, least-privilege IAM, zero-trust context-aware enforcement, and mandatory MFA. Users only see insights for credentials their own organization submitted; cross-organization visibility requires a formal data-sharing agreement. Your data is not shared with other clients, used for benchmarking, or visible to anyone outside your designated users without your express consent

Full legal compliance

CredLens complies with applicable federal and state privacy laws governing the use of educational and employment records.

Ready to See Your Outcomes?

CredLens helps credential issuers, policymakers, employers, and funders use quality outcomes data to make decisions that change lives.
Request a Demo