Security and compliance.
CredBackr is designed to support banks and insurers in meeting their obligations under applicable regulatory frameworks when engaging third-party service providers.
Processing architecture.
Stateless processing.
Bank statement data is processed in-memory. Buffers are purged after report generation. CredBackr does not retain bank statement data beyond the processing window required to produce the report.
Deterministic computation.
No machine learning model, no language model, and no inference layer operates on customer data during report generation. Every computed value is produced by rule-based logic. Every output statement is selected from a fixed Label Vocabulary, with selection driven deterministically by computed metric values.
Auditable output.
Every numeric claim in a CredBackr report traces to specific transactions in the source bank statement. The audit path is: statement transaction → classified category → family metric → signal state → report sentence. No step introduces interpretive judgment.
Data residency.
Production processing runs in regional cloud infrastructure appropriate to the customer's jurisdiction. For South African customers, processing runs in the AWS Africa (Cape Town) region. For other markets, regional residency arrangements are available under contract.
Model risk and auditability.
CredBackr's architecture is deterministic. Every output is produced by rule-based logic that an auditor can trace from source transactions through computed metrics to the final report sentence. There is no model to validate, no training data to govern, and no drift to monitor — because there is no model.
This architectural position is designed to align with model risk management principles common across international credit risk frameworks. The deterministic computation path is natively compatible with the principles in the US Federal Reserve's SR 11-7 guidance on model risk management, with the model governance expectations embedded in Basel III's standardised approach to credit risk, and with the transparency and auditability requirements emerging under the European Union's AI Act.
CredBackr does not claim certification under any of these frameworks. It is not a certified or validated model. What it offers is an architecture whose properties — traceability, determinism, absence of inference — are designed to fit cleanly into the documentation and governance obligations that credit risk functions already carry under these frameworks.
Supporting customer compliance.
| Framework | How CredBackr supports customer obligations |
|---|---|
| SR 11-7 (US Federal Reserve model risk management guidance) | Deterministic architecture; full traceability from input transactions to output sentences; no model validation required because no model exists |
| Basel III model governance principles | Auditable computation path; documented methodology available under NDA; no statistical model or machine learning component |
| EU AI Act | Deterministic architecture; no inference layer; architecture designed for compatibility with incoming regulatory frameworks |
| SARB Prudential Authority D3/2018 (Cloud Computing and Offshoring of Data) | In-country processing for SA customers (AWS Cape Town); documented exit arrangements; regulator-access provisions available to customer compliance teams under contract |
| SARB G5/2014 (Outsourcing of Functions within Banks) | Materiality assessment support; audit trail for every report; data strategy documentation available under NDA |
| POPIA (Protection of Personal Information Act) | CredBackr operates as an operator under POPIA for customer-provided data; processing is purpose-limited to report generation |
Note: CredBackr does not represent that it is itself directly regulated by, or certified under, any of the frameworks listed above. These frameworks apply to banks, insurers, and financial institutions engaging service providers. CredBackr is designed to fit cleanly into the risk assessment, documentation, and governance obligations those institutions carry under their own regulators.