All About Our Privacy Protection FAQ

View FAQ Overview
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form
No items found.
Data Privacy
Does CredoLab collect personal data from the smartphone device?

No. All your customers’ personal data like messages and contacts are not accessed. The only information that some jurisdictions may define as personal would include: Android ID number and Geographic location based on file. This information is only used to deter fraudulent behaviour.

Aside from that, the bulk of the data that we collect is considered metadata, which translates to the data about the data. Furthermore, we access only anonymous data which we code them binarily, and only after the user has agreed to the required Operating System's permissions and granted data privacy consent. In doing so, CredoLab protects the end-users' anonymity whilst retaining the ability to detect fraud deriving from particular devices.

Data Privacy
Can you provide examples of metadata?

Examples of metadata would include: the number of events you schedule during work hours, the number of contacts saved per month, total number of apps upgraded in the last month, or the number of music files. We do not collect the personal contents, we just crunch the numbers.

Service-Level Commitment
SLA on score generation

Our standard SLA with most clients is no more than 1 minute but 97% of our transaction records show is less than a second for our clients to see the results.

Service-Level Commitment
Quality Support

Credolab agrees, represents, and warrants to provide the Client with quality support and access to knowledgeable personnel at all times. CredoLab provides a multi-level support to the Client executed by the both Customer Success Manager and the Technical Support team. Incoming requests are prioritized according to its scale and duration of impact on production:

  • Level 1, Customer support (General requests, minor issues. This is a transitional level for incoming requests).
  • Level 2, Technical Support (Minor issues with high priority).
  • Level 3, Technical Support (Major Issues).


Data Privacy
How do I know CredoLab only collects metadata and not any personal information?

CredoLab only reads permissioned information and transforms them into anonymous data about other data (metadata). If you could take a look at the data CredoLab’s scoring algorithm processes, it would be as below:

A screenshot of a cell phoneDescription automatically generated

We have had independent annual auditors (Ernst & Young, (2018) and eShard (2019) verify that our product do not have any exploitable vulnerabilities. 


Service-Level Commitment
Response times

Incidents are prioritized based on severity level below to ensure that those with the highest business impact are resolved first. Technical support resources are available during local business hours.

  • Level 1: Critical Service Impact (A service failure or severe degradation. Case critically affects the primary business service). 4 business hrs first response time, 24 business hours resolution time.
  • Level 2: Significant Service or Implementation Impact (A service failure or severe degradation. Case critically affects the primary business service). 6 business hrs first response time, 72 business hours resolution time.
  • Level 3: Moderate Service Impact (Product features are unavailable but a workaround exists). 8 business hrs first response time, 10 business days resolution time.
  • Level 4: No Service Impact (Non-critical cases, general questions, enhancement requests, documentation cases, issues that have very little to no impact on functionality). 12 business hrs first response time, 15 business days resolution time.
Data Privacy
Is the interface between your clients and the service platform encrypted?

Yes, CredoLab's end-to-end communication protocols are encrypted.

Service-Level Commitment
Error handling

CredoLab agrees, represents, and warrants to use commercially reasonable efforts to resolve errors in a manner consistent with the requirements of the Client, the Agreement, the Services, and our SLA. CredoLab shall use the standard HTTP response codes to indicate specific failure modes. The high-level breakdown of the standard HTTP error conditions and how Client's system will interpret these are as follows:

  • 2xx:  Supplier API has received, understood, and accepted a request.
  • 3xx:  Further action is required in order to complete the request.
  • 3xx: An error occurred in handling the request. The most common cause of this error is an - invalid parameter.
  • 5xx: Supplier API received and accepted the request, but an error occurred while handling it.
Data Privacy
What kinds of data do you collect?

CredoLab collects privacy consented, non Personally Identifiable Information (PII) anonymous metadata, such as:

  • SMS, Log, Email, Network: We analyse SMS, Email and Network communication activity, not actual content, including frequencies, ratios, intervals between actions, distribution, and entropies.
  • Contacts: We analyse the address book and correlate it with the communication activity including existing contacts or unknown ones or short numbers without moving any contact outside the mobile.
  • Device: We analyse all characteristics of the device including the model, display size, RAM size, storage size and utilization, age of the device.
  • Browsing History: We analyse the browsing history including browsing patterns, preferences or simply intent to apply for a lending product.
  • Applications: We analyse the type of apps including competitive lending apps, office applications, e-wallets, and suspicious ones such as TOR or VPN.
  • CredoLab can also collect Non-anonymous data: In this mode, the CredoApp and CredoSDK collect the content of text messages, the actual phone numbers, the names and details of contacts in the address book, the geolocation and other personal data. This approach allows your institution to dramatically increase the accuracy of KYC while opening up new use cases including skip tracing and collections management.

Service-Level Commitment
Data protection

CredoLab agrees, represents, and warrants not to post, transmit, retransmit, or store material on or through the CredoLab Infrastructure that:

  1. is in violation of any applicable local, state, federal, international law, regulation, treaty or tariff; or
  2. violates the rights of any person, including rights protected by copyright, trade secret, patent or other intellectual property or similar laws or regulations, including, but not limited to, the installation or distribution of pirated or other software products that are not appropriately licensed for use by CredoLab.

CredoLab agrees, represents, and warrants to comply with data protection laws and regulations that apply to the performance of its obligations under this SLA and to process any personal data (including any which forms part of the Client's Data) as a result of, or in connection with, the provision of the Services to the Client strictly in accordance with Clients’s instructions and/or all applicable data protection laws and regulations and not otherwise. CredoLab agrees to take reasonable, appropriate technical, business, and organizational measures against accidental, deliberate, or unauthorized destruction, loss, alteration or disclosure of any data and implement adequate security programs and procedures to ensure that unauthorized persons do not have access to any equipment used to process personal data as part of the Services.

CredoLab agrees, represents, and warrants not to use or disclose Client’s Data or any end-user data, except to perform the Services and conduct activities authorized in this SLA.

Data Privacy
You collect so much of people's data. What if it leaks out?

With the anonymous approach, CredoLab focuses on protecting the users’ data privacy. Even if users’ data are stolen, it would be impossible to identify neither a user, or any of her contacts, or fetch any other information from a data set. CredoLab does not collect the content of messages or emails, phone numbers, contact names, geolocation or any other personal data.

Service-Level Commitment
System monitoring

CredoLab agrees, represents, and warrants that it uses data leakage protection (DLP) mechanisms, network security via TLS, access control policy, system development lifecycle (SDLC), encryption protocols, software baseline configuration system, network security and firewall management, intrusion detection and/or prevention systems (IDS/IPS), environment segregation for relevant systems, and security logging and monitoring policy, among others. These help with the daily monitoring and performance of servers.

Data Privacy
Are any users' personal data shared with the vendor? If so, provide the list of data areas.

No. CredoLab doesn't collect and share user's personal info

Service-Level Commitment
System availability

CredoLab agrees, represents, and warrants to undertake commercially reasonable measures to ensure that System Availability equals or exceeds the SLC of 95% during each calendar month, excluding Maintenance Windows, provided that any Unscheduled Downtime occurring as a result of the following exclusions: (i) incompatibility of Client’s equipment or software with the CredoLab Infrastructure; (ii) performance of Client's systems or website; or (iii) Force Majeure or (iv) any other circumstances that are not within CredoLab’s control which for purposes of this SLA is limited to scheduled or unscheduled interruptions caused by third party service providers (e.g., third party networks, domain name registrars) and outages on the part of internet service providers, shall not be considered toward any reduction in System Availability measurements or the application of Service Credits provisions. CredoLab shall comply with the following API requirements:

  • API Performance: Ability to handle a minimum request rate of 1 request per second (Supplier’s API should be able to serve at least this rate of requests). Ability to handle a maximum request rate of 20 requests per second (Supplier’s API should be able to “burst” to this maximum rate of serving requests). Each API Response should have an average response time < 4000ms (less than 4000 milliseconds).
  • API Availability: Supplier APIs shall achieve an uptime of 95% per month.
  • Should an emergency dictate a need for any period of non-Availability of CredoLab Infrastructure outside the Maintenance Window, or for a period of non-Availability exceeding 2,160 minutes, CredoLab agrees to schedule such non-Availability at least fourteen (14) calendar days in advance of its commencement with prior concurrence of the Client's representative. Any period of non-Availability outside of the Maintenance Windows shall be treated as “critical” Issue.

Service-Level Commitment
Bandwidth availability

CredoLab agrees, represents, and warrants to use commercially reasonable efforts to determine the source of any excess packet loss or latency and to correct such problem to the extent that the source of the issue is on CredoLab Infrastructure or network.

Data Privacy
How long will the data be kept by the CredoLab?

The metadata assessed and the score generated on your customers are stored by CredoLab for your use as long as the contract is valid. On termination of the contract, this data is deleted from all servers.

Data Privacy
Where will this data be stored?

The data extracted is stored in the form of a Json (or JavaScript) file on secure clouds provided by Amazon, Microsoft or a secure local server depending on our client's and country's policy and regulation. We are generally compliant with respective governmental regulations and local data is kept within the country, but CredoLab remains the sole proprietor of the data collected.

Service-Level Commitment
Disaster recovery

CredoLab agrees, represents, and warrantsto use standard industry practices to regularly back up all data stored on behalf of the Client in accordance with the Schedule below, and implement a disaster recovery plan in the event of a site catastrophe or other Force Majeure Event that prevents CredoLab from delivering the Services or the client from accessing the Services or CredoLab’s Infrastructure, and agrees to use commercially reasonable efforts to have the Services restored to operation as soon as practicable

Service-Level Commitment
Data backup and retention

CredoLab agrees, represents, and warrants to back up all Client Data (including but not limited to File Data, Database Data, and Archive Data), on a daily basis using a combination of full and incremental backup procedures. In addition, CredoLab shall archive database logs to permit recovery to a specific point in time if necessary. Backups will be executed automatically using a predefined schedule. Backup records will be rotated offsite on a periodic basis to ensure availability in the event of a site catastrophe. CredoLab agrees to archive and retain such records using predefined schedules and policies.

Service-Level Commitment
Recovery of data

CredoLab agrees to exercise commercially reasonable efforts to restore data files from archived copies as quickly as reasonably practicable, as necessary as a result of system failure or data corruption or losses. Client acknowledges that the amount of time required to restore data files is dependent upon numerous factors, including, but not limited to, severity or the relevant data corruption or loss. Any expense relative to data restoration is for the account of CredoLab.

Data Privacy
Which cloud storage provider do you use?

CredoLab has been working with Microsoft Azure for our cloud storage solutions. If your country or company has any other service provider you’d like to use instead, we could confirm on this after checking the security levels and the integration requirements from our side.

Data Privacy
Is there any other steps you take ensure data security?

All data collected are encrypted at all times - when at rest as well as in transit. Production data, the data used to generate the scorecards once you go live, are restricted from being used in test and development systems unless the data is appropriately masked or sanitised to protect sensitive information (if any). Data leakage protection (DLP) mechanisms are put in place to monitor and prevent the data form leaving the organisation via removable media or via a network. We maintain separate and appropriately segregated development, test and production environments for all Client`s relevant systems.

Data Privacy
What are your data security incident management efforts?

We have a formal security incident monitoring, reporting and response process to identify, report, and appropriately respond to known or suspected security incidents. Theft or loss of user systems (such as workstations or laptops) considered security incidents and follow our incident reporting process.

Service-Level Commitment
SLA Announcement

CredoLab agrees, represents, and warrants to use all commercially reasonable efforts to have the Services running and available to the Client continuously, every day, in dedicated environments of at least 95% during any monthly billing cycle (“Service Level Commitment” or SLC) and a mean time of between any non-Availability equal to or greater than one hundred twenty days (120).

A Scheduled Downtime may be scheduled by CredoLab as reasonably necessary for maintenance, updating, or repair by giving the client at least eight (8) hours advance written notice, unless a shorter notice period is required under the circumstances. The notice will specify the date and start time of the Scheduled Downtime and the expected period during which the Services will non-Available. CredoLab agrees to use commercially reasonable efforts to minimize the effects of such Scheduled Downtime on the Client's regular business operations.

Please refer to the sections below for more on our service level commitment.

Data Privacy
Who will have access to the data within CredoLab?

Only authorized and trained employees of Research and Development department have read only access to the data. In addition to this, the customer success team working with you will also have access to the data, after your explicit authorization.

Couldn’t find an answer to your query? Get in touch with us directly at faqs@credolab.com.