Security

How this site is kept secure.

This brand site and the operator's customer site are secured differently, because they do different jobs. Here is what is in place on each.

Brand site — creditcorpgroup.co.uk and creditcorp.uk

This brand site has the smallest possible attack surface by design. It takes no applications, no payments, no contact-form submissions, no logins, no leads. The only data it processes is server request logs and one strictly-necessary cookie.

HTTPS only

Every request to either domain is upgraded to HTTPS via the site's .htaccess. There is no plain-HTTP version of any page.

HSTS — HTTP Strict Transport Security

The site sends an HSTS header with a one-year duration and includeSubDomains. Once a browser has seen the header, it refuses to connect to either domain over plain HTTP for the lifetime of the policy.

Content Security Policy

The site enforces a restrictive CSP via response header. The current policy:

  • default-src 'self' — everything defaults to same-origin only.
  • style-src 'self' 'unsafe-inline' — styles from same-origin only, plus inline styles (for hero backgrounds and a small amount of utility styling). No off-origin stylesheet hosts.
  • font-src 'self' — fonts from same-origin only. Open Sans and Source Code Pro are self-hosted (Latin subset); there is no request to Google Fonts.
  • img-src 'self' data: — images from same-origin only, plus inline data: URIs.
  • script-src 'self'no inline scripts; no third-party scripts; no eval; no remote analytics. The site's only JavaScript is at /assets/js/search.js, served from the same origin.
  • connect-src 'self' — no remote fetches.
  • object-src 'none' — no plugins, applets or embedded objects.
  • frame-ancestors 'self' — the site cannot be framed by a third party.
  • base-uri 'self' and form-action 'self' — no base-tag or form-submission tricks.
  • upgrade-insecure-requests — any stray HTTP sub-resource is fetched over HTTPS.

Other security headers

  • X-Content-Type-Options: nosniff
  • X-Frame-Options: SAMEORIGIN — defence-in-depth alongside frame-ancestors.
  • Referrer-Policy: strict-origin-when-cross-origin
  • Permissions-Policy — geolocation, camera, microphone, payment, USB, interest-cohort and browsing-topics APIs all disabled.
  • Cross-Origin-Opener-Policy: same-origin and Cross-Origin-Resource-Policy: same-origin — cross-origin isolation; resources are not shareable off-origin.
  • X-Permitted-Cross-Domain-Policies: none — no Adobe cross-domain policy files honoured.
  • X-Powered-By and Server stripped on every response.

No third-party tracking

No analytics scripts. No tag managers. No marketing pixels. No remote fonts — the typefaces are self-hosted, so no request leaves your browser for a third party. No session-replay tooling. The site is JavaScript-light (one small search.js file, only loaded on /search/) and works fully without scripts.

Cookies

One strictly-necessary cookie by default (ccg_consent, records that you have dismissed the cookie banner). Any analytics or marketing cookies, if introduced in future, would be opt-in via the banner. Full disclosure at /legal/cookies/.

Personal data

This brand site does not collect personal data through any form, contact channel, or interactive surface. Server request logs (IP, user-agent, URL, timestamp) are retained for a maximum of 30 days and then deleted or anonymised. Full privacy notice at /legal/privacy/.

Hosting and infrastructure

The brand site runs on shared hosting at Hostinger. The PHP stack is minimal — static page templates, no database, no admin panel, no server-side sessions. There is no admin login on this domain.

Operator site — credicorp.co.uk

The operator's customer-facing site has a different security posture because it does customer-facing things. The signals it publishes about its own security are listed here so that anyone evaluating the operator can see them in one place. For the canonical statement, see credicorp.co.uk/our-technology.

Signed PDFs

Every Business Loan Agreement and Key Information Sheet is issued as a tamper-evident, digitally signed PDF. A signed PDF carries a cryptographic signature attached to a named certificate — changing the document after signing breaks the signature, which is visible in any compliant PDF reader.

Audit log

Every meaningful action on a customer file is recorded in an append-only audit log. "Append-only" means entries can be added but not edited or deleted, which makes the audit trail useful for any later dispute resolution — courts in particular treat an append-only log as evidentially stronger than ordinary logs.

Open Banking — read-only via OBIE

Where a customer connects their bank account during an application, the operator uses Open Banking under the Open Banking Implementation Entity (OBIE) standards, which sit under the FCA's Payment Services Regulations 2017. The connection is read-only: the operator can see transactions for affordability checks and this account-information consent cannot initiate payments or change the account.

Stripe for card payments

Card details are entered directly with Stripe, the operator's card-payment provider, via a Stripe-hosted form. Stripe is PCI DSS Level 1 certified. The operator does not store card numbers on its own systems.

Article 22 UK GDPR — automated-decision review

The operator publishes that every automated decision in the lending process is reviewable by a human on request. This satisfies Article 22 UK GDPR, which gives data subjects the right not to be subject to a solely automated decision with significant effects.

Operator policies

Reporting a security issue

The brand site does not run a formal vulnerability- disclosure programme. If you find a security issue with creditcorpgroup.co.uk, creditcorp.uk, or any sub-path on either domain, please report it via the operator's contact page at credicorp.co.uk/contact-us — include the URL, a description of the issue, and (if applicable) a proof of concept that does not actually exploit live data.

For issues on the operator's own site (credicorp.co.uk), the same contact route applies. The operator publishes more detail on its security practices at credicorp.co.uk/our-technology.

Related