Skip to main content
NEW: RSAC 2026 NHI Field Report. How Non-Human Identity became cybersecurity's central axis
Back to Resources
Security Whitepaper

Cremit Infrastructure Security

A comprehensive overview of our security-first design philosophy, infrastructure architecture, and data protection measures.

Version 1.0December 202520-minute read

Executive Summary

Cremit is built on a Security First Design philosophy. As a company providing security solutions, we firmly believe that handling customer sensitive data must never become a new security risk. This principle is the top priority in every architectural decision we make.

Minimal Data Retention

No source code storage; metadata only

Secret Protection

Detected secrets are masked and encrypted

Customer Control

Customer KMS integration, instant data deletion

Network Isolation

Private Subnet-based architecture

Full Encryption

All data encrypted at rest and in transit

Passwordless Authentication

Magic Link, SSO, OAuth. No password storage

1. Security First Design

Every architectural decision at Cremit prioritizes security. This is not just a slogan. It's a core principle consistently applied from design to operations.

Defense in Depth

We don't rely on a single security layer. Independent security controls are applied at network, application, and data levels. Even if one layer is compromised, others provide additional protection.

Principle of Least Privilege

Every system component and user is granted only the minimum privileges necessary to perform their tasks. This principle applies equally to inter-service communication.

Zero Trust Architecture

Every request is authenticated and verified, even within the internal network. We follow 'never trust, always verify' rather than 'trust but verify'.

Privacy by Design

Data minimization principles are applied from the collection stage. We don't collect data we don't need, and collected data is securely deleted after its purpose is fulfilled.

2. Infrastructure Architecture

Cloud Environment

The Cremit platform operates on Amazon Web Services (AWS) infrastructure.

Cloud Provider
AWS (Amazon Web Services)
Primary Region
ap-northeast-2 (Seoul)
Orchestration
Amazon EKS (Elastic Kubernetes Service)
Region Policy
Customer-specified region support

Network Security Features

Complete Private Subnet Isolation

All application servers, databases, and cache servers are located in Private Subnets, making them inaccessible directly from the internet.

Single Entry Point

The only component exposed externally is the Application Load Balancer (ALB). The ALB is integrated with AWS WAF (Web Application Firewall) to filter malicious traffic.

Security Group-Based Access Control

Each service component is protected by independent Security Groups, allowing communication only through necessary ports and authorized sources.

VPC Flow Logs

All network traffic is logged for use in anomaly detection and forensic analysis.

3. Data Processing and Protection

Source Code Processing

Customer source code is never stored on Cremit servers. During the scanning process, code is analyzed in real-time in memory and immediately deleted from memory when analysis is complete.

During Scan
Real-time streaming analysis, in-memory processing
After Scan
Source code immediately discarded, never stored
Stored Data
Only detection result metadata retained

Secret Data Processing

Detected secrets are classified as particularly sensitive data and receive multi-layer protection.

Masking Process

Original Secret:AKIAIOSFODNN7EXAMPLE
Stored (Masked):AKIA************MPLE

The original value of detected secrets is never stored. Only minimal information for identification (prefix, suffix) is retained in masked form.

Default Encryption
Encrypted with Cremit-managed AWS KMS
Customer KMS
Encrypted with customer-provided KMS key (BYOK)

4. Encryption Framework

Encryption at Rest

DatabaseAES-256, AWS KMS
File StorageAES-256, S3 SSE
Backup DataAES-256
Sensitive FieldsApplication-level encryption

Encryption in Transit

External Communication
TLS 1.2 or higher
Internal Communication
mTLS (mutual TLS)
API Communication
Latest security protocols

Key Management

Key Storage
AWS KMS (FIPS 140-2 Level 3)
Key Rotation
Automatic annual rotation
Access Control
IAM policy-based
Audit Logging
CloudTrail records

5. Access Control

Passwordless Authentication

Cremit implements a passwordless architecture to eliminate password-related security risks such as credential stuffing, phishing, and password reuse attacks.

Magic Link

Secure one-time login link sent via email

SSO (Single Sign-On)

SAML 2.0, OIDC integration with enterprise IdPs

OAuth Login

GitHub, Google, and other OAuth providers

No Password Storage
Eliminating password database breach risk by not storing passwords
Phishing Resistant
Magic links and SSO tokens are one-time use and time-limited
Reduced Attack Surface
No passwords means password-based attacks are impossible
Better User Experience
No password fatigue or reset flows
SAML 2.0
Supported
OIDC
Supported
OAuth 2.0
Supported

6. Compliance

ISMS-P Alignment
Aligned

Controls mapped to Korea's ISMS-P framework; customer audit evidence available on request.

Audit Support
Available

We help customers with SOC 2, ISO 27001, and PCI DSS audit evidence for NHI-related controls.

Instant Deletion Guarantee

When a customer deletes their organization, all data associated with that organization is completely and immediately deleted. Deleted data cannot be recovered and is also removed from backups. This ensures customer data sovereignty and complies with GDPR's 'right to be forgotten'.

7. Operational Security

Vulnerability Management

  • Quarterly internal security audits
  • Annual external penetration testing
  • Security vulnerability reporting program
  • Security patches applied within 72 hours

Business Continuity

  • Multi-AZ deployment eliminating single points of failure
  • Geographically distributed daily automated backups
  • RPO 1 hour, RTO 4 hour objectives

Incident Response

Detection
Real-time
🚀
Initial Response
Within 1 hour
📧
Customer Notification
Within 24 hours
📊
Post-Incident Analysis
Within 72 hours

Security Summary

Cremit designs and operates the platform according to Security First Design principles, maintaining the highest level of security that meets customer trust.

Data Minimization

No source code storage, metadata only

Secret Protection

Masking + KMS encryption (customer KMS supported)

Network Isolation

Private Subnet, only ALB externally exposed

Encryption

AES-256 at rest, TLS in transit

Authentication

Passwordless (Magic Link, SSO, OAuth)

Access Control

SSO, RBAC support

Data Sovereignty

Customer region selection, instant deletion guarantee

Compliance

ISMS-P aligned controls; audit-evidence support for customers' SOC 2, ISO 27001, PCI DSS programs

Contact

For security inquiries or additional information, please contact:

argus.cremit.iodeveloper.cremit.iosecurity@cremit.io

© 2025 Cremit Inc. All rights reserved. This document provides general information about Cremit's security architecture.

Ready to secure your infrastructure?

See how Cremit discovers, manages, and protects all your secrets and machine identities.