Security Policy for Credit Manager

At The Service Bureau, we are committed to ensuring the security and privacy of our customers using Credit Manager, a desktop application for Microsoft Windows designed to manage credit-related data, including Metro 2 file processing. This policy outlines our security measures to protect your data and address common security concerns.

Data Storage and Encryption

  • Local Storage: All data processed by Credit Manager is stored on the client's machine in a SQLite database encrypted with AES-256, a military-grade encryption standard. The encryption key is hardcoded in the application and protected through binary obfuscation and encryption of constant strings.
  • Temporary Files: Any temporary files containing personally identifiable information (PII) are encrypted and automatically deleted when the software closes or after specific events, minimizing data exposure.
  • No Server Storage: We do not store consumer or customer data on our servers, except for minimal information (company name and an authentication identifier) required for licensing and authentication.

Secure Data Transmission

  • SFTP for Transfers: All data transmissions to and from Credit Manager use Secure File Transfer Protocol (SFTP) over SSH, ensuring end-to-end encryption. We use the EnterpriseDT.Net library (edtFTPnet/PRO) with username/password authentication and the following cryptographic algorithms:
    • Ciphers: aes128-gcm, aes256-gcm (preferred for authenticated encryption), aes128, aes256 (likely CBC mode), 3des-168-SHA (included for legacy compatibility but not recommended).
    • Key Exchanges: Diffie-Hellman (DH) with SHA, SHA256, SHA384; Elliptic Curve Diffie-Hellman (ECDH) with SHA, SHA256, SHA384.
    • MACs: HMAC-SHA1, HMAC-SHA2-256, HMAC-SHA2-512 (used for data integrity).
    • Host Key Algorithms: RSA (preferred), DSA (supported for compatibility).
  • Metro 2 Aggregation: For customers opting into our Metro 2 stacking service, Metro 2 files are sent to us via SFTP, aggregated with other customers’ data, and securely forwarded to credit bureaus. No consumer data is stored on our servers unless explicitly sent for this purpose.

Authentication and Access Controls

  • Optional Authentication: Credit Manager offers optional password authentication, requiring users to log in before accessing the application. Password expiration settings are available to enforce regular updates.
  • Elite Version Features: The Elite version supports multiple users with role-based access controls, allowing restrictions on a per-user basis to ensure users only access authorized features and data.
  • Principle of Least Privilege: Access controls are designed to limit user permissions to what is necessary for their role.

Support Data Handling

  • Secure Support Files: Files sent for support are transmitted within password-protected ZIP files. Database files (company files) remain AES-256 encrypted within the ZIP. Support files are stored temporarily on our servers and automatically deleted after 7 days using secure deletion methods.
  • Data Minimization: We do not collect consumer data unless explicitly provided by the customer for support or Metro 2 aggregation.

Application Security

  • Secure Development: Credit Manager is developed with robust security practices, including input validation and parameterized queries to prevent SQL injection. The encrypted SQLite database is accessible only by the application, reducing the risk of unauthorized access or tampering.
  • Binary Protection: The application binary is secured through obfuscation and encryption of constant strings to protect hardcoded keys and sensitive logic.

Updates and Patching

  • Automatic Updates: Credit Manager uses an App Launcher to automatically update the application on launch. Each file is hash-verified to ensure integrity, and outdated or compromised files are updated or deleted.
  • Dependency Management: We regularly monitor and update third-party components (e.g., SQLite, SFTP, compression libraries) for security vulnerabilities. Critical bug or security fixes are typically released within a few business days.

Incident Response and Logging

  • Event Logging: Certain application events are logged to a text file on the client's machine to support troubleshooting. Logs do not contain sensitive data and are stored locally.
  • Vulnerability Response: In the event of a discovered vulnerability, we will promptly notify affected customers and provide remediation steps, such as patches or configuration changes.

Compliance and Standards

  • Best Practices: Credit Manager is designed to align with industry best practices for data security and privacy, particularly for handling Metro 2 files used in credit reporting.
  • Continuous Improvement: We regularly review our security practices to ensure they meet evolving industry standards.

Contact Us

For security-related questions or to report a concern, please Contact Us

We are committed to addressing inquiries promptly and transparently.

Last Updated: April 23, 2025

The Service Bureau reserves the right to update this policy as needed to reflect changes in our practices or regulatory requirements.