Credentialate Data Security and Privacy

Credentialate is built on a modern cloud infrastructure designed to ensure the safety of your data, and we use proven third-party cloud providers. 

Ensuring the safety and privacy of your data is fundamental to our mission, and underlies one of our core values - Build Trust. We take regular data backups and test recovery, run penetration testing, encrypt all data at rest and in transit, conduct static code analysis and third party vulnerability scanning, sanitise our logs, secure individual customers at the database level, and many other cloud security techniques.

You own your data, and can take it with you should you ever leave. You may choose to make learner achievement data publically available on the internet as evidence to validate any digital credential earned by a Learner. Learners who receive digital credential can control the visibility of this data via the relevant Badge provider’s platform. We will never sell your data. We generate anonymised and aggregated statistical and analytical data to support analytics, benchmarking and comparative features, research and development and other purposes, but such analytical data will never identify either customers or learners.

Security features

Product security



Single sign-on (SSO)

Credentialate supports a range of SSO schemes. We recommend SSO to streamline user management and eliminate the management of local users and passwords.

Secure passwords

Credentialate enforces a password complexity standard. Credentials are encrypted at rest in accordance with industry standards. All requests are encrypted in transit through TLS.


Users are allocated roles allowing access to varying levels of administrative function. Further, users can be allocated access at a course level.

High availability

We ensure high availability across the platform through the employment of industry best-practices in our cloud infrastructure, including continuous automatic monitoring and alerts, fast continuous deployments, multi-node load balancing and automatic scaling.


Credentialate builds are rigorously tested through a combination of thorough automated tests as well as stringent manual testing.


Network and application security



Hosting and storage

Credentialate services and data are hosted in Amazon Web Services (AWS) facilities and follow recommendations from AWS Well Architected Reviews for security and reliability. Databases are securely isolated using Amazon Virtual Private Cloud (VPC).

Data integrity and security

Customer segregation and access to all data is achieved and enforced through the separation of customer data into separate database instances. With each customer receiving their own database, there is no chance of data or access pollution between customers.

Encryption at rest

All data is encrypted at rest via AWS RDS and S3 using AWS recommended encryption standards.

Encryption in transit

Data is encrypted in transit (both with the browser as well as system integrations) while moving between us and the browser with Transport Level Security (TLS). All certificates are issued and managed through AWS, and we enable HTTP Strict Transport Security (HSTS) to ensure all traffic goes across HTTPS. We score an ‘A’ rating on Qualys SSL Labs‘ tests.

Vulnerability scanning

Edalex uses third party security tools to scan for vulnerabilities. Our engineers respond to issues raised. Automated OWASP dependency checking is built into the build process to detect and alert for new and known vulnerabilities. 

Penetration testing

A two stage independent third-party penetration testing is undertaken on a regular basis. Any issues identified are addressed before a secondary verification and certification.  

Brute force prevention

We employ password strength requirements, Cross-Site Request Forgery (CSRF) protection, secure password reset practices, and log in attempt rate limiting with automated account lockout.

Backups & monitoring

All client databases are backed up, with a retention policy of 7 years on a rotation schedule.  All backup snapshots and disks are encrypted by AWS KMS service. Application logs for all activities are stored in AWS and retained for at least 30 days.

Infrastructure and logs are continually monitored with automated alerts.

Incident response

Our team has a 24 / 7 on-call rotation and escalation policy, with production alerts captured and automatically escalated.

Security policies




All employee and contractor agreements include a confidentiality clause.


Our internal security policies cover a range of topics, and are updated frequently and shared with all employees and contractors.





AWS Well-Architected Review

Periodically undertaken, the review is designed to build secure, high-performing, resilient, and efficient infrastructure for applications.

Next Steps

Let's Talk!
Discover What Credentialate Integration Looks Like
Order a Free Credentialate Proof of Concept