Creme Global Platform Security and Service Continuity Details
Overview
Creme Global operates cloud-based data science, modelling, data collection, and analytics platforms for customers in data-sensitive and regulated sectors. This page summarises the main security, availability, and service continuity measures used to protect customer data and maintain resilient platform operations.
Our production infrastructure is hosted on Amazon Web Services. AWS provides independently audited infrastructure, data centre, physical security, and cloud security controls. Creme Global supplements these cloud infrastructure controls with internal access control, software development, monitoring, backup, incident response, and business continuity procedures.
Additional security information can be provided to customers and prospective customers under appropriate commercial or confidentiality arrangements.
Hosting and infrastructure
Creme Global platforms are hosted on AWS. AWS is selected for its security, scalability, resilience, and mature compliance framework.
The platform architecture separates key functions, including web application services, API services, databases, compute resources, and traffic routing. Compute resources can be scaled according to platform requirements, and additional capacity can be provisioned using AWS infrastructure.
Production systems are supported by separate quality assurance environments, allowing changes and upgrades to be tested before deployment to production.
Compliance and assurance
Creme Global maintains internal information security controls covering access management, software development, monitoring, backup, incident response, business continuity, and support processes.
Creme Global’s cloud infrastructure is hosted on AWS services that are covered by AWS security and compliance programmes, including ISO/IEC 27001 certification. Creme Global does not currently maintain its own ISO/IEC 27001 certification.
Where customer procurement, legal, or compliance teams require further assurance, Creme Global can provide additional documentation on request.
Data protection and confidentiality
Customer data is treated as confidential and is used only for the purposes of providing the agreed platform, modelling, analytics, data collection, support, and related services.
Customer workspaces are logically separated. Users are associated with their customer organisation or project group, and access to customer data is restricted based on their assigned roles and permissions.
Creme Global personnel access customer data only where required for authorised operational, support, maintenance, security, or customer-requested troubleshooting purposes. Privileged access is restricted to authorised personnel and controlled under internal access management procedures.
Customer-Facing AI and Large Language Model Features
Creme Global may integrate commercial, enterprise, or private large language model capabilities into its platforms to provide customer-facing functionality. These capabilities may include natural-language querying, conversational analytics, dashboard interpretation, data exploration, report drafting, workflow support, summarisation, explanation of model outputs, and other AI-assisted platform features.
These features may be delivered using enterprise AI services such as Amazon Q, Amazon QuickSight Q / Amazon Quick Suite, Amazon Bedrock, or other commercial or privately deployed LLM services. The specific services, data sources, functionality, and controls used for a customer environment may vary according to the relevant platform configuration, customer agreement, and project requirements.
Customer data remains confidential when used with AI-assisted platform features. Creme Global does not use, and does not permit its service provider partners to use, customer data, prompts, queries, uploaded files, generated outputs, analytical datasets, dashboards, reports, or derived content to train public large language models.
AI-assisted features are governed by the same customer isolation, role-based access control, permission management, and data segregation principles used elsewhere in the Creme Global platform. Users can only query, summarise, retrieve, or generate outputs from data they are authorised to access.
Where LLM functionality is connected to customer datasets, dashboards, documents, models, or analytical outputs, the connection is configured for the approved customer use case. In multi-customer or consortium environments, Creme Global can apply additional controls such as workspace separation, aggregation rules, suppression thresholds, anonymisation, pseudonymisation, audit logging, and restrictions on access to raw or identifiable submissions.
Creme Global may use customer-specific AI configurations, including retrieval-augmented generation, where appropriate. In these cases, the AI feature may retrieve information from approved customer data sources, metadata, documents, dashboards, reports, analytical outputs, or knowledge bases in order to answer user queries or generate outputs. These configurations do not make customer data available to other customers and do not use customer data to train public models.
Customer-specific model training, fine-tuning, embeddings, retrieval indexes, or knowledge-base configuration will only be carried out where supported by the platform configuration and permitted under the relevant customer agreement. Creme Global applies data minimisation principles to these processes and will not intentionally use personally identifiable information or personal data for model training or fine-tuning unless this is expressly required for the approved customer use case, legally permitted, and governed by appropriate contractual, technical, and organisational controls. Where practicable, personal data will be excluded, anonymised, pseudonymised, aggregated, or otherwise minimised before being used in AI-assisted functionality. Where these techniques are used, they are applied for the customer’s own approved environment or use case only.
Prompts, queries, generated outputs, and related usage metadata may be logged for security, audit, troubleshooting, abuse prevention, quality assurance, and service operation purposes. These logs are treated as confidential platform or customer content and are handled according to applicable contractual, legal, and data protection obligations.
AI-generated outputs may be incomplete, inaccurate, or misleading and should be reviewed by users before being relied upon for scientific, regulatory, legal, commercial, or operational decisions. AI-assisted features are intended to support users in exploring, interpreting, and working with data; they do not replace validated models, approved reports, expert review, or customer governance processes.
AI-assisted features are provided for defined platform purposes only. They are not designed or intended to make autonomous decisions about individuals, determine legal rights, or support employment, credit, insurance, medical, regulatory, or other legally significant decisions, unless that use case has been expressly agreed with the customer, assessed, documented, and governed under the applicable customer agreement.
Where an AI-assisted feature is proposed to be used in a regulated, high-risk, or legally significant context, Creme Global will assess the deployment against applicable legal, regulatory, and contractual requirements, including the EU AI Act where relevant, and agree on appropriate governance, documentation, human oversight, monitoring, logging, and customer responsibilities.
Creme Global will provide appropriate user instructions, limitations, and support materials for AI-assisted features where required. These may include information on the feature’s intended purpose, supported data sources, known limitations, human oversight expectations, appropriate and inappropriate uses, and escalation routes for suspected errors or unexpected outputs.
Where required, Creme Global can provide additional information on the AI services, hosting model, data flows, access controls, logging, retention, intended purpose, user instructions, human oversight, and governance measures used for a specific customer deployment.
User authentication and account management
User accounts are created through controlled invitation, registration, or customer-approved access processes. Users authenticate using their registered email address and password.
The platform supports multi-factor authentication for user accounts through the account management page. Customers are encouraged to enable MFA for users accessing sensitive data or administrative functionality. Customers can request that MFA be enabled and required for all users on their platform service or accounts.
The platform also includes single sign-on functionality across the Creme Global platform applications, improving user experience and centralising authentication.
Passwords are not sent to users by email. Users set their own passwords during account activation or password reset. Password reset links are sent to the registered email address and are time-limited and/or single-use, depending on the platform configuration.
Privileged access
Administrative and privileged access is restricted to authorised Creme Global personnel on a least-privilege basis. Privileged access is granted only where required for the employee’s role and is revoked when no longer required, including when an employee leaves the company or changes roles.
Access to critical infrastructure is protected using multi-factor authentication and controlled credential management. Administrative accounts are assigned to individual users rather than shared for normal administrative activity.
Access rights are reviewed periodically and when there is a relevant change in role, responsibility, project involvement, or employment status.
Encryption
Data transmitted between users and the Creme Global platform is encrypted in transit using HTTPS/TLS.
Customer databases and database backups are encrypted at rest using AWS encryption capabilities. Backups are created using encrypted AWS-managed storage and snapshot mechanisms.
Credentials, access keys, and secrets used for infrastructure administration are controlled through restricted internal credential management processes and are available only to authorised personnel.
Application security and secure development
Creme Global applies secure software development practices throughout platform development and maintenance. These include:
- Input validation and file type controls.
- Separation of application functions and services.
- Role-based access controls.
- Least-privilege access principles.
- Code review and quality assurance processes.
- Testing in QA environments before production deployment.
- Version control and controlled release management.
- Tracking and documentation of fixes and releases.
- Regular external penetration testing.
Security, stability, and platform reliability improvements are included as part of ongoing platform maintenance and release activity.
Vulnerability management and patching
Creme Global actively monitors platform infrastructure and applications for security and availability issues. Operating system, infrastructure, application, and dependency updates are reviewed and applied according to severity, operational risk, and platform impact.
Vulnerabilities are triaged according to severity and business impact. Critical vulnerabilities are prioritised for immediate mitigation or remediation. Where a vulnerability creates a material risk to customer data, platform availability, or confidentiality, affected customers will be informed in accordance with contractual and regulatory obligations.
Platform releases, patches, and bug fixes are managed through Creme Global’s development, QA, and release management process.
Monitoring and logging
Creme Global monitors platform availability, application health, infrastructure status, and key service components. Monitoring is designed to identify service interruptions, degraded performance, and abnormal system behaviour.
User login events and relevant platform activity are logged. Logs may be reviewed for security, troubleshooting, operational support, and service optimisation purposes.
Where credential compromise or suspicious access is suspected, Creme Global can lock or reset affected accounts and review relevant login activity, timestamps, and IP address information where available.
Availability and scalability
Creme Global platforms are designed to use AWS scalability, resilience, and infrastructure availability features.
The platform can scale compute and storage resources according to platform requirements and customer usage patterns. Resource requirements for large projects, heavy modelling workloads, or specific customer environments can be reviewed during project planning.
Planned maintenance and upgrades are scheduled to minimise customer disruption. Where maintenance may materially affect customer access, Creme Global will communicate with affected customers as appropriate.
Backup and restore
Customer databases and platform data are backed up using AWS-managed backup and snapshot mechanisms. Backups are encrypted.
Creme Global maintains backup and restore procedures to support service continuity and disaster recovery. Backup restoration is tested periodically.
Backup retention and deletion periods may depend on the relevant customer agreement, project configuration, and legal or regulatory requirements.
Disaster recovery and service continuity
Creme Global’s production platform is hosted in AWS and benefits from AWS data centre resilience, availability-zone architecture, and disaster recovery capabilities.
Creme Global maintains internal recovery procedures for restoring platform services from backups and infrastructure images where required. Disaster recovery and backup restoration procedures are tested periodically.
For customer-specific environments, additional resilience, regional deployment, backup, or recovery requirements can be reviewed and agreed as part of the relevant contract or statement of work.
Data location
Creme Global supports infrastructure in AWS regions including the United States and Ireland. The physical location of customer data depends on the relevant customer agreement and platform configuration.
Alternative hosting locations may be considered where required by customer, regulatory, or contractual requirements, subject to technical and commercial review.
Data return and deletion
On contract termination, project closure, or customer exit, Creme Global can assist with export, return, and deletion of customer data in accordance with the applicable agreement.
Data deletion timelines may vary depending on backup cycles, contractual terms, legal obligations, and technical constraints. Backup copies may persist for a limited period until overwritten or deleted according to the applicable backup retention schedule.
Incident response and customer notification
Security incidents and suspected credential compromise should be reported to:
Creme Global will investigate reported security events, take appropriate containment and remediation steps, and notify affected customers where an incident materially affects their data, confid
entiality, platform access, or service availability.
Incident communication will be handled by email or another agreed customer communication channel.
Endpoint and infrastructure protection
Creme Global uses endpoint protection, controlled administrative access, cloud infrastructure security controls, monitoring, and restricted production access to reduce the risk of malware, unauthorised access, and system compromise.
End users cannot install executable software on the Creme Global platform.
Subcontractors and third-party services
Creme Global uses AWS as its primary cloud infrastructure provider. Other third-party services may be used for platform operation, support, monitoring, communication, or business administration.
Administration of Creme Global platform services is carried out by authorised Creme Global personnel. Where third-party service providers are used, they are assessed according to their role, access, and relevance to customer data or service continuity.
Browser and client requirements
The Creme Global platform is cloud-based and accessed through a modern web browser. Google Chrome is recommended for optimal performance. No browser plug-ins such as ActiveX are required.
Customers should use supported, up-to-date browser versions and maintain appropriate security controls on their own devices and networks.
Further information
Customers and prospective customers requiring further information about platform security, service continuity, data protection, infrastructure, or procurement assurance should contact their Creme Global representative or email: