Search  ·  Contact  ·  Customer site at credicorp.co.uk ↗
Group
Security

What this group does for security, in plain English.

Two surfaces — the brand site and the operator site — with different security postures because they do different things. Both are documented here.

Brand site — creditcorpgroup.co.uk and creditcorp.uk

This brand site has the smallest possible attack surface by design. It takes no applications, no payments, no contact-form submissions, no logins, no leads. The only data it processes is server request logs and (with consent) a single strictly-necessary cookie.

HTTPS only

Every request to either domain is upgraded to HTTPS via the site's .htaccess. There is no plain-HTTP version of any page.

HSTS — HTTP Strict Transport Security

The site sends an HSTS header with a one-year duration and includeSubDomains. Once a browser has seen the header, it refuses to connect to either domain over plain HTTP for the lifetime of the policy.

Content Security Policy

The site enforces a restrictive CSP via response header. The current policy:

  • default-src 'self' — everything defaults to same-origin only.
  • style-src 'self' 'unsafe-inline' https://fonts.googleapis.com — inline styles allowed (for hero backgrounds and a small amount of utility styling); Google Fonts CSS allowed.
  • font-src 'self' https://fonts.gstatic.com — fonts from same-origin or Google Fonts only.
  • img-src 'self' data: — images from same-origin only, plus inline data: URIs.
  • script-src 'self'no inline scripts; no third-party scripts; no eval; no remote analytics. The site's only JavaScript is at /assets/js/search.js, served from the same origin.
  • connect-src 'self' — no remote fetches.
  • frame-ancestors 'self' — the site cannot be framed by a third party.
  • base-uri 'self' and form-action 'self' — no base-tag or form-submission tricks.

Other security headers

  • X-Content-Type-Options: nosniff
  • X-Frame-Options: SAMEORIGIN — defence-in-depth alongside frame-ancestors.
  • Referrer-Policy: strict-origin-when-cross-origin
  • Permissions-Policy — geolocation, camera, microphone, payment, USB, and interest-cohort APIs all disabled.
  • X-Powered-By stripped on every response.

No third-party tracking

No analytics scripts. No tag managers. No marketing pixels. No remote fonts other than Google Fonts. No session-replay tooling. The site is JavaScript-light (one small search.js file, only loaded on /search/) and works fully without scripts.

Cookies

One strictly-necessary cookie by default (ccg_consent, records that you have dismissed the cookie banner). Any analytics or marketing cookies, if introduced in future, would be opt-in via the banner. Full disclosure at /legal/cookies/.

Personal data

This brand site does not collect personal data through any form, contact channel, or interactive surface. Server request logs (IP, user-agent, URL, timestamp) are retained for a maximum of 30 days and then deleted or anonymised. Full privacy notice at /legal/privacy/.

Hosting and infrastructure

The brand site runs on shared hosting at Hostinger. The PHP stack is minimal — static page templates, no database, no admin panel, no server-side sessions. There is no admin login on this domain.

Operator site — credicorp.co.uk

The operator's customer-facing site has a different security posture because it does customer-facing things. The signals it publishes about its own security are listed here so that anyone evaluating the operator can see them in one place. For the canonical statement, see credicorp.co.uk/our-technology.

Signed PDFs

Every Business Loan Agreement and Key Information Sheet is issued as a tamper-evident, digitally signed PDF. A signed PDF carries a cryptographic signature attached to a named certificate — changing the document after signing breaks the signature, which is visible in any compliant PDF reader.

Audit log

Every meaningful action on a customer file is recorded in an append-only audit log. "Append-only" means entries can be added but not edited or deleted, which makes the audit trail useful for any later dispute resolution — courts in particular treat an append-only log as evidentially stronger than ordinary logs.

Open Banking — read-only via OBIE

Where a customer connects their bank account during an application, the operator uses Open Banking under the Open Banking Implementation Entity (OBIE) standards, which sit under the FCA's Payment Services Regulations 2017. The connection is read-only: the operator can see transactions for affordability checks but cannot move money out of the account.

Stripe for card payments

Card details are entered directly with Stripe, the operator's card-payment provider, via a Stripe-hosted form. Stripe is PCI DSS Level 1 certified. The operator does not store card numbers on its own systems.

Article 22 UK GDPR — automated-decision review

The operator publishes that every automated decision in the lending process is reviewable by a human on request. This satisfies Article 22 UK GDPR, which gives data subjects the right not to be subject to a solely automated decision with significant effects.

Operator policies

Reporting a security issue

The brand site does not run a formal vulnerability- disclosure programme. If you find a security issue with creditcorpgroup.co.uk, creditcorp.uk, or any sub-path on either domain, please report it via the operator's contact page at credicorp.co.uk/contact-us — include the URL, a description of the issue, and (if applicable) a proof of concept that does not actually exploit live data.

For issues on the operator's own site (credicorp.co.uk), the same contact route applies. The operator publishes more detail on its security practices at credicorp.co.uk/our-technology.

Related