Supplemental terms governing Partner-provided data

Last updated: December 5, 2025

1. Supremacy & Scope

1.1 Supremacy Clause

This Addendum governs the receipt, handling, protection, retention, and destruction of Non-Public Personal Information (“NPI”) that Referral Partners send to Credzu.
If this Addendum conflicts with Credzu’s public Privacy Policy or User Agreement, this Addendum controls for all Partner-provided data.

1.2 Referral Partners Covered

This Addendum applies to all organizations and individuals who refer Consumers to Credzu, including:

  • Mortgage lenders and loan officers
  • Real estate agents
  • Financial service providers
  • Nonprofits and counseling agencies
  • Consumer referral agencies
  • Any entity using Credzu’s referral APIs or Partner portals

1.3 Scope of Data

This Addendum applies exclusively to NPI transmitted by Partners to Credzu, limited to:

  • First Name
  • Last Name
  • Email Address
  • Phone Number

Credzu does not receive financial, credit, or additional personal data from Partners under the referral integration.

2. Security & Infrastructure

2.1 Application Hosting

Credzu’s application environment is hosted on Kinsta, running on Google Cloud Platform (GCP), which provides container isolation, managed security controls, continuous monitoring, and daily encrypted backups.

2.2 Data & Document Storage

Partner data and documents are stored only in Amazon Web Services (AWS) S3, using encrypted, access-restricted storage.

2.3 Business Continuity

Credzu maintains:

  • Daily encrypted backups
  • Multi-region redundancy
  • Disaster recovery protocols

Backup retention follows Credzu’s primary Security & Data Retention Policy.

3. Encryption Standards

3.1 In Transit

All Partner-to-Credzu communication uses TLS 1.2+ encryption.
All API and WordPress REST endpoints require HTTPS.

3.2 At Rest

Data is encrypted using AES-256 or equivalent industry-standard methods within AWS and GCP.

4. Access Control & Authentication

4.1 Role-Based Access Control (RBAC)

Access to Partner NPI is strictly limited to authorized personnel with documented business need.

4.2 Multi-Factor Authentication (MFA)

Administrative access to systems storing or processing Partner NPI requires MFA.

4.3 Cloud Access Controls

Access to AWS and GCP resources is governed by least-privilege IAM policies, with logged, monitored access.

4.4 API Authentication

Credzu uses secure token-based authentication:

  • unique
  • revocable
  • time-limited
  • transmitted only over encrypted channels

5. Data Lifecycle, Retention & Destruction

Credzu classifies Partner-provided NPI into two categories.

5.1 Category A — Converted Users (Active Accounts)

Definition:
A Consumer who clicks a Partner’s call-to-action link and successfully completes Credzu’s account registration.

Retention:
Retained for the life of the account plus seven (7) years after closure.

Purpose:
Supports legal, regulatory, audit, and escrow dispute obligations.

5.2 Category B — Non-Converted Leads (Incomplete Onboarding)

Definition:
Referrals where the Consumer does not complete registration after Credzu’s automated outreach (initial SMS, 72-hour, 7-day, and 15-day follow-ups).

Retention:

  • NPI retained for 90 days from Partner transmission
  • On day 91, all identifiers are permanently deleted or irreversibly anonymized

Credzu does not store non-converted Partner NPI beyond 90 days.

5.3 Destruction Standards

Credzu uses:

  • NIST SP 800-88 compliant digital sanitization
  • Secure deletion of encrypted data
  • Automatic purge of expired backup sets

Credzu does not print or physically store Partner NPI.

6. Incident Response

6.1 Notification Window

If Partner NPI is compromised, Credzu will notify the Partner’s designated compliance contact within 72 hours of incident confirmation.

6.2 Notification Includes:

  • Summary of the incident
  • Data categories involved
  • Systems affected
  • Containment actions taken
  • Planned remediation steps
  • Follow-up updates as needed

7. Summary of Restriction

  • Partner NPI is used only for onboarding and matching Consumers.
  • Partner NPI is never sold or used for external marketing.
  • Service Providers and other Partners never receive Partner NPI unless a Consumer completes registration.
  • Non-converted NPI is purged at 90 days.

8. Contact

Credzu, LLC
1980 N. Atlantic Avenue, Second Floor
Cocoa Beach, FL 32931
Email: info@credzu.com

Please share this article:

We try to provide great articles. Help us share them.