--- title: "Security" description: "Security signals across the group — brand-site HTTPS, CSP and security headers, no PII collection; operator-side signed PDFs, audit log, Open Banking read-only via OBIE, Stripe for cards, Article 22 disclosures." canonical: "https://creditcorpgroup.co.uk/security/" locale: "en-GB" updated: "2026-06-22" --- # How this site is kept secure. This brand site and the operator's customer site are secured differently, because they do different jobs. Here is what is in place on each. ## Brand site — creditcorpgroup.co.uk and creditcorp.uk This brand site has the smallest possible attack surface by design. It takes no applications, no payments, no contact-form submissions, no logins, no leads. The only data it processes is server request logs and one strictly-necessary cookie. ### HTTPS only Every request to either domain is upgraded to HTTPS via the site's `.htaccess`. There is no plain-HTTP version of any page. ### HSTS — HTTP Strict Transport Security The site sends an HSTS header with a one-year duration and `includeSubDomains`. Once a browser has seen the header, it refuses to connect to either domain over plain HTTP for the lifetime of the policy. ### Content Security Policy The site enforces a restrictive CSP via response header. The current policy: ### Other security headers ### No third-party tracking No analytics scripts. No tag managers. No marketing pixels. No remote fonts — the typefaces are self-hosted, so no request leaves your browser for a third party. No session-replay tooling. The site is JavaScript-light (one small `search.js` file, only loaded on [/search/](https://creditcorpgroup.co.uk/search/)) and works fully without scripts. ### Cookies One strictly-necessary cookie by default (`ccg_consent`, records that you have dismissed the cookie banner). Any analytics or marketing cookies, if introduced in future, would be opt-in via the banner. Full disclosure at [/legal/cookies/](https://creditcorpgroup.co.uk/legal/cookies/). ### Personal data This brand site does not collect personal data through any form, contact channel, or interactive surface. Server request logs (IP, user-agent, URL, timestamp) are retained for a maximum of 30 days and then deleted or anonymised. Full privacy notice at [/legal/privacy/](https://creditcorpgroup.co.uk/legal/privacy/). ### Hosting and infrastructure The brand site runs on shared hosting at Hostinger. The PHP stack is minimal — static page templates, no database, no admin panel, no server-side sessions. There is no admin login on this domain. ## Operator site — credicorp.co.uk The operator's customer-facing site has a different security posture because it does customer-facing things. The signals it publishes about its own security are listed here so that anyone evaluating the operator can see them in one place. For the canonical statement, see [credicorp.co.uk/our-technology](https://credicorp.co.uk/our-technology/). ### Signed PDFs Every Business Loan Agreement and Key Information Sheet is issued as a tamper-evident, digitally signed PDF. A signed PDF carries a cryptographic signature attached to a named certificate — changing the document after signing breaks the signature, which is visible in any compliant PDF reader. ### Audit log Every meaningful action on a customer file is recorded in an append-only audit log. "Append-only" means entries can be added but not edited or deleted, which makes the audit trail useful for any later dispute resolution — courts in particular treat an append-only log as evidentially stronger than ordinary logs. ### Open Banking — read-only via OBIE Where a customer connects their bank account during an application, the operator uses Open Banking under the Open Banking Implementation Entity (OBIE) standards, which sit under the FCA's Payment Services Regulations 2017. The connection is **read-only**: the operator can see transactions for affordability checks and this account-information consent cannot initiate payments or change the account. ### Stripe for card payments Card details are entered directly with Stripe, the operator's card-payment provider, via a Stripe-hosted form. Stripe is PCI DSS Level 1 certified. **The operator does not store card numbers on its own systems.** ### Article 22 UK GDPR — automated-decision review The operator publishes that every automated decision in the lending process is reviewable by a human on request. This satisfies Article 22 UK GDPR, which gives data subjects the right not to be subject to a solely automated decision with significant effects. ### Operator policies ## Reporting a security issue The brand site does not run a formal vulnerability- disclosure programme. If you find a security issue with creditcorpgroup.co.uk, creditcorp.uk, or any sub-path on either domain, please report it via the operator's contact page at [credicorp.co.uk/contact-us](https://credicorp.co.uk/contact-us/) — include the URL, a description of the issue, and (if applicable) a proof of concept that does not actually exploit live data. For issues on the operator's own site (credicorp.co.uk), the same contact route applies. The operator publishes more detail on its security practices at [credicorp.co.uk/our-technology](https://credicorp.co.uk/our-technology/). ## Related