Privacy Policy

🔒 Information Security Policy


This policy is an aggregate of directives, regulations, rules, and practices that prescribes how Credrails manages, protects, and distributes information. It demonstrates Credrails commitment to provide management direction and support for information security in accordance with business requirements,  relevant laws and regulations.

Our systems, process and people shall align with PCI DSS v4.0 and ISO 27001:2013 frameworks.

Credrails management is committed to ensuring that the confidentiality, integrity, availability and privacy of all the information and information assets. This ensures Credrails achieves its strategic goals, takes into account our interested parties and compliance with legal, contractual and regulatory requirements.

Credrails employees are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. They are responsible for the completing their information security awareness trainings and reporting information security incidents based on the Incident management process.


This policy covers all Credrails information and information systems Credrails builds, manages and/or directly supports.


1.    Create an overall approach to information security.

2.   Detect and preempt information security breaches such as misuse of networks, data, applications, and computer systems.

3.   Maintain the reputation of the organisation, and uphold ethical and legal responsibilities.

4.   Respect customer rights, including how to react to inquiries and complaints about non-compliance.

🔒 Supplier Security Policy

It is important to Credrails that the relationship with our suppliers is based on a clear understanding of our expectations and information security requirements.

Credrails shall strive to monitor and review services supplied to ensure the third party does not represent a significant weakness to our operations.

Information security requirements may vary according to the type of contractual relationship that exists with each supplier and the goods/services delivered.

The following will generally apply:

  • The information security requirements and controls must be formally documented in a contractual agreement which may be part of or an addendum to , the main commercial agreement.
  • Separate non disclosure agreements must be used where a more specific level of control over confidentiality is required.
  • Appropriate due diligence must be exercised in the selection and approval of new suppliers before contracts are agreed.
  • The information security provisions in place with existing suppliers must be clearly understood and may be subject to changes where necessary.
  • Remote access by suppliers must be approved by the Chief Technology Officer and comply with the Credrails information security policies.
  • Access to Credrails information shall be limited where possible according to the least privileged principle and according to clear business need.
  • Basic information security principles such as unique accounts, segregation of duties, defence in depth must be applied.
  • The supplier is expected to exercise due care and implement adequate controls over the Credrails  information and information assets used during the execution of their work.  
  • Where defined in the contract, Credrails will have the right to audit the information security practices of the supplier, and where appropriate, the subcontractor.
  • Changes to services provided by suppliers will be subject to the change management process. This process includes the requirement to assess any information security implications of changes so that the effectiveness of controls is maintained.
  • Suppliers are responsible for alerting Credrails of an information security incident, threat or suspicious activity that may harm Credrails systems, information or clients when they become aware of such activities. Such reports shall be directed to