How Credzu secures data, how long it is retained, and when it is destroyed

Last updated: December 5, 2025

1. Overview

This Policy explains how Credzu:

protects data,
stores it securely,
retains it only as long as necessary, and
destroys it according to industry-standard practices.

This Policy covers all Credzu users: Consumers, Service Providers, and Partners.
Referral Partner data follows additional rules in the Referral Partner Data Addendum, which controls in case of conflict.

2. Infrastructure & Storage

2.1 Hosting

Credzu’s application runs on Kinsta using Google Cloud Platform, benefiting from cloud-native security, container isolation, and continuous monitoring.

2.2 Document Storage

Documents and sensitive files are hosted on AWS S3, using encrypted, private buckets.

2.3 Backups

Credzu maintains:

encrypted daily backups
offsite redundancy
automated disaster recovery workflows

Backups follow the destruction timelines described below.

3. Security Controls

3.1 Encryption

TLS 1.2+ for all data in transit
AES-256 encryption for stored data

3.2 Access & Authentication

Role-Based Access Control (RBAC)
Multi-Factor Authentication (MFA) for administrative users
Least-privilege IAM roles across AWS and GCP
Logged and monitored cloud access

3.3 Application Security

Secured WordPress REST API endpoints
Regular updates, patching, and code review
Firewall and WAF protection

4. Data Retention Schedule

Category	Retention Period
Consumer Accounts	For the life of the account
Escrow & Financial Records	7 years post-closure
Signed Contracts & Legal Agreements	7 years
Credit Reports	Deleted 180 days after engagement closure unless required longer for disputes
Chat Logs	5 years
Uploaded Documents	Deleted 180 days after engagement ends unless legally required longer
System Logs	12–24 months depending on type
Referral Partner NPI	See Referral Partner Data Addendum (90-day rule for non-converted leads)

5. Document Destruction

5.1 Digital Destruction

Credzu uses NIST SP 800-88 compliant methods, including:

cryptographic erasure,
secure deletion from AWS S3,
secure overwriting,
destruction of encryption keys where applicable.

5.2 Physical Files

Credzu does not maintain printed copies of Consumer, Service Provider, or Partner data.

5.3 Backup Purge

Backup sets are automatically purged when their retention period expires.

6. Data Access Rules

6.1 Consumers

Consumers can see:

messages
documents shared in their chat
their own credit reports
their own escrow data

6.2 Service Providers

Providers may see:

Consumer information shared with them
credit reports
documents exchanged within their shared chat

6.3 Partners

Partners may see:

Updates for Consumers they referred
Shared chat content only if included in the chat

Partners cannot see:

escrow balances
credit reports (unless a Consumer explicitly shares them)

7. Breach Notification

If Credzu confirms a data incident affecting users, we will:

Notify affected parties as required by law
Secure systems
Work with third-party security specialists
Provide updates as remediation continues

Referral Partners receive notification under the terms in their Addendum.

8. Your Responsibilities

Users agree to:

keep login credentials secure
use trusted devices
report suspicious activity promptly
avoid sharing sensitive data outside the Platform

9. Updates to This Policy

We may update this Policy from time to time.
Updates are effective upon posting.

10. Contact Us

Credzu, LLC
1980 N. Atlantic Avenue, Second Floor
Cocoa Beach, FL 32931
Email: info@credzu.com