Trust & Security Center

← Back to Home

1. Overview

Trust is the foundation of every credential we help manage. CreditBoosters USA designs, builds, and operates its platform with security, privacy, and transparency as first-class priorities — not afterthoughts. This page provides a detailed look at how we safeguard your data, authenticate our communications, and respond to threats.

2. Trust Pillars

Our security posture rests on four core pillars:

• 🔒 Encryption: TLS 1.3 secures all data in transit. AES-256 encrypts all data at rest, including database fields, backups, and file storage. Key management follows industry best practices with periodic rotation.
• ✉️ Email Authentication: every outbound message is authenticated with SPF, 2048-bit DKIM, and a strict DMARC policy (p=reject). We regularly audit DMARC aggregate and forensic reports to detect and remediate alignment failures.
• ☁️ Infrastructure: hosted on AWS (us-east-1, N. Virginia) with multi-AZ redundancy, private VPC networking, and no public-facing database endpoints. All administrative access requires MFA and is logged.
• 📡 Monitoring: 24/7 automated monitoring covers application health, delivery metrics, bounce and complaint rates, and anomalous access patterns. Our on-call rotation ensures response to critical alerts within 15 minutes.

3. Security Practices

3.1 Access Controls

• Role-based access control (RBAC) across all platform components.
• Principle of least privilege: staff receive only the permissions required for their role.
• Multi-factor authentication (MFA) mandatory for all employees accessing production systems.
• Access reviews conducted quarterly; departing employees are de-provisioned within 1 business day.

3.2 Data Protection

• All sensitive fields (license numbers, email addresses, billing details) are encrypted at the application layer before database storage.
• Database backups are encrypted and stored in a separate AWS region with restricted access.
• Personal data is never used in non-production environments; synthetic datasets are used for testing and development.

3.3 Application Security

• Automated dependency vulnerability scanning integrated into CI/CD pipelines.
• Static application security testing (SAST) runs on every code commit.
• Quarterly penetration testing conducted by an independent third-party security firm.
• All security findings are triaged, prioritized, and tracked to remediation.

4. Infrastructure Details

4.1 Cloud Hosting

CreditBoosters USA is deployed on Amazon Web Services (AWS) in the us-east-1 (N. Virginia) region. Our infrastructure includes:

• Multi-AZ deployment with automated failover for high availability.
• Private VPC with security groups, NACLs, and no public-facing database endpoints.
• Automated scaling to handle usage fluctuations without service degradation.
• All data stored exclusively within the United States.

4.2 Email Delivery

Transactional email is delivered through Mailgun (Sinch) using SMTP relay with a dedicated IP address.

• Average daily volume: approximately 9,000 transactional messages.
• Complaint rate: consistently below 0.03% (target: < 0.05%).
• Bounce rate: maintained below 1.5% (target: < 2%).
• Inbox placement: approximately 99.4% based on seed-list testing.
• All messages are strictly transactional — no marketing, no newsletters, no promotional content.
• Sending authenticated with SPF + DKIM + DMARC (p=reject).

5. Incident Response

Our incident response plan follows a structured five-phase approach:

1. Detection & triage (0–30 minutes): automated monitoring and human review to confirm and classify the incident by severity.
2. Containment (30–120 minutes): isolate affected systems, revoke compromised credentials, enable enhanced logging.
3. Investigation (2–24 hours): root cause analysis, scope assessment, forensic evidence preservation.
4. Remediation (24–72 hours): patch vulnerabilities, restore services from verified backups, implement compensating controls.
5. Post-mortem (within 7 days): blameless review, lessons learned, actionable improvements documented and tracked.

In the event of a data breach affecting personal data of EEA individuals, we will notify the relevant supervisory authority within 72 hours as required by GDPR Article 33. Affected data subjects will be notified without undue delay when the breach poses a high risk to their rights and freedoms.

6. Logging & Audit Trail

• Email delivery logs: retained for 90 days. Include message ID, recipient (hashed), timestamp, delivery status, bounce/complaint events.
• Application access logs: retained for 12 months. Include user ID, action performed, timestamp, source IP.
• Template change logs: retained for 12 months. All email template modifications are versioned with the author, approver, timestamp, and diff.
• Administrative action logs: retained for 12 months. Include configuration changes, permission grants/revocations, and integration modifications.
• Logs are stored in append-only, tamper-evident storage. Access to logs is restricted and audited.

7. Compliance

CreditBoosters USA operates in compliance with the following regulatory frameworks:

• GDPR (General Data Protection Regulation) — EU data subject rights, lawful processing, data minimization, DPA available on request.
• CCPA (California Consumer Privacy Act) — California resident rights, no data selling, transparent data practices.
• CAN-SPAM Act — accurate sender identification, functional unsubscribe mechanisms, no deceptive subject lines.
• CASL (Canadian Anti-Spam Legislation) — consent-based communications, transparent sender identification.

See our Privacy Policy and Acceptable Use Policy for detailed compliance provisions.

8. Email Practices (Detailed)

This section expands on the Email Practices summary on our homepage with operational-level detail.

8.1 Recipient Verification

Every new user must verify their email address through a unique, time-limited confirmation link before any transactional messages are sent to their address. Institutional bulk imports undergo automated MX record validation and format checks; addresses that fail are quarantined for manual review.

8.2 Suppression List

Our global suppression list is shared across all sending streams. Addresses are added permanently upon:

• Hard bounce (5xx response from recipient server).
• Spam complaint via FBL or direct report to abuse@.
• User-initiated unsubscribe or notification preference change.
• Manual request via privacy@ or support@.

Suppressed addresses are never re-engaged, re-imported, or re-activated.

8.3 Bounce & Complaint Workflows

• Hard bounces: immediate, permanent suppression. No retry.
• Soft bounces: up to 2 retries over 24 hours, then automatic suppression.
• Complaints: immediate suppression. Reviewed by deliverability team within 4 hours. Root cause documented; corrective actions applied if systemic.

8.4 Feedback Loop (FBL) Monitoring

Through Mailgun, we subscribe to ISP feedback loops (Outlook, Yahoo, AOL, etc.). FBL reports are processed automatically: the reporting address is suppressed and the associated message template is flagged for review.

8.5 Rate Limiting & Anomaly Detection

• Per-client sending limits based on historical patterns.
• Per-template hourly caps to prevent accidental bulk sends.
• Real-time volume monitoring: spikes exceeding 150% of the 7-day rolling average trigger automatic holds and team notification.

8.6 RBAC for Sending

Email sending capabilities are restricted by role. Only authorized service accounts and platform triggers can initiate message dispatch. No individual employee can manually send messages to users without going through the template and approval workflow.

8.7 Template Change Approvals

All email template modifications require:

• A pull request reviewed by at least one peer.
• Approval from a senior team member or deliverability lead.
• Staged rollout: changes deploy to an internal test group first, then to the broader user base.

8.8 Audit Trail

Every template version, sending rule change, and suppression list modification is logged with timestamp, author, approver, and change description. Logs are retained for 12 months and available for internal audit or regulatory review.

8.9 How to Report Abuse

If you receive an unwanted message from a creditboostersusa.com address, or believe our platform has been misused, please report it to abuse@creditboostersusa.com. We acknowledge all reports within 24 hours and complete investigations within 48 hours.

9. Responsible Disclosure

We welcome security researchers who identify vulnerabilities in our platform. If you discover a security issue, please report it responsibly:

• Contact: security@creditboostersusa.com
• Acknowledgment: within 48 hours of receiving your report.
• Assessment: within 5 business days, we will provide an initial assessment of the reported issue.
• Resolution: we aim to resolve confirmed vulnerabilities within a timeframe appropriate to their severity.
• Recognition: with your permission, we will credit you for the discovery.

Please do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it. Do not access, modify, or delete data belonging to other users during your research.

10. Contact

For questions about our security practices or this Trust Center:

CreditBoosters USA, Inc.
4207 Ridgepoint Drive, Suite 140
Austin, TX 78731, United States
Security: security@creditboostersusa.com
General: info@creditboostersusa.com
Phone: +1 (512) 843-6291

Related pages: Terms of Service · Privacy Policy · Acceptable Use Policy · Contact & Support