A comprehensive overview of our security-first design philosophy, infrastructure architecture, and data protection measures.
Cremit is built on a Security First Design philosophy. As a company providing security solutions, we firmly believe that handling customer sensitive data must never become a new security risk. This principle is the top priority in every architectural decision we make.
No source code storage; metadata only
Detected secrets are masked and encrypted
Customer KMS integration, instant data deletion
Private Subnet-based architecture
All data encrypted at rest and in transit
Magic Link, SSO, OAuth—no password storage
Every architectural decision at Cremit prioritizes security. This is not just a slogan—it's a core principle consistently applied from design to operations.
We don't rely on a single security layer. Independent security controls are applied at network, application, and data levels. Even if one layer is compromised, others provide additional protection.
Every system component and user is granted only the minimum privileges necessary to perform their tasks. This principle applies equally to inter-service communication.
Every request is authenticated and verified, even within the internal network. We follow 'never trust, always verify' rather than 'trust but verify'.
Data minimization principles are applied from the collection stage. We don't collect data we don't need, and collected data is securely deleted after its purpose is fulfilled.
The Cremit platform operates on Amazon Web Services (AWS) infrastructure.
All application servers, databases, and cache servers are located in Private Subnets, making them inaccessible directly from the internet.
The only component exposed externally is the Application Load Balancer (ALB). The ALB is integrated with AWS WAF (Web Application Firewall) to filter malicious traffic.
Each service component is protected by independent Security Groups, allowing communication only through necessary ports and authorized sources.
All network traffic is logged for use in anomaly detection and forensic analysis.
Customer source code is never stored on Cremit servers. During the scanning process, code is analyzed in real-time in memory and immediately deleted from memory when analysis is complete.
Detected secrets are classified as particularly sensitive data and receive multi-layer protection.
AKIAIOSFODNN7EXAMPLEAKIA************MPLEThe original value of detected secrets is never stored. Only minimal information for identification (prefix, suffix) is retained in masked form.
Cremit implements a passwordless architecture to eliminate password-related security risks such as credential stuffing, phishing, and password reuse attacks.
Secure one-time login link sent via email
SAML 2.0, OIDC integration with enterprise IdPs
GitHub, Google, and other OAuth providers
Information Security Management System
Expected completion February 2025
When a customer deletes their organization, all data associated with that organization is completely and immediately deleted. Deleted data cannot be recovered and is also removed from backups. This ensures customer data sovereignty and complies with GDPR's 'right to be forgotten'.
Cremit designs and operates the platform according to Security First Design principles, maintaining the highest level of security that meets customer trust.
No source code storage, metadata only
Masking + KMS encryption (customer KMS supported)
Private Subnet, only ALB externally exposed
AES-256 at rest, TLS in transit
Passwordless (Magic Link, SSO, OAuth)
SSO, RBAC support
Customer region selection, instant deletion guarantee
ISO 27001 certified, SOC 2 in progress
For security inquiries or additional information, please contact:
© 2025 Cremit Inc. All rights reserved. This document provides general information about Cremit's security architecture.