Privacy
Our goal is to be fully transparent about data practices so that you, as a bank or credit union, can trust that we treat your clients’ Nonpublic Personal Information (NPI) with the same care and diligence as you do.
Overview & our privacy commitment
- Your data, under your control – We operate strictly as a service provider to financial institutions, processing NPI on your behalf, under your direction, and for your benefit. We do not have any direct relationships with consumers; the NPI you entrust to us is and always remains your property. Candescent will never sell or rent your clients’ NPI. We are contractually and ethically bound to protect and manage it.
- Your partner in compliance – Your regulatory obligations are our priority. Our platform complies with the Gramm-Leach-Bliley Act (GLBA) and applicable federal and state laws, and is designed to meet or exceed your third-party risk management (TPRM) expectations. We operate with the transparency and documentation you need to satisfy audits and vendor management reviews with confidence.
- Privacy by design – To strengthen our commitment to Privacy by Design, we have integrated a specialized privacy attorney into the product development process. This expert-driven approach is designed to ensure that privacy considerations are embedded from initial design through daily operations. Our framework emphasizes:
minimization
encryption
controls
monitoring
This philosophy is deeply ingrained in our culture. Every member of the Candescent team is required and regularly trained to uphold the strict confidentiality and security of your data in practice.
Trust through transparency
We believe trust is earned through openness. That’s why we provide clear visibility into our privacy governance practices—from how NPI flows through our systems to who has access and why. When your regulators have questions, we provide the documentation and expert support you need to respond to regulatory inquiries and complete your own internal audits and risk assessments with confidence. Our goal is for you to view us not just as a vendor, but as a transparent partner whose practices you can confidently present during any audit or review.
The following sections break down how we fulfill this commitment in practice.
Data collection & use
What NPI We Handle: The NPI we handle is the information required to make your digital banking services work for your clients. Our role is strictly limited to using that NPI to operate the platform securely and improve its functionality on your behalf. Here are the common NPI categories we process and a description service-focused use for each:
Providing functionalities:
We use personal (name, contact details, username) and account data to enable the functionalities of online/mobile banking – showing account balances and history, allowing fund transfers, enabling features like bill payment, remote check deposit, personal financial management, etc. For example, when a user wants to transfer money, our system takes their input (accounts involved, amount, date), requests processing (often via integration with the core banking system or payment networks), and then stores a record of that transaction for the user’s and financial institution’s reference.
Enhancing the user experience & personalization:
As directed by you, our platform uses NPI, such as the user’s name (to greet them), their preferences (like language or notification settings), and past behavior (e.g., showing frequent payees first in a list) to create a more intuitive and user-friendly digital banking experience. Any such personalization is done within the confines of the service and for the benefit of both the financial institution and the user.
Security & fraud prevention:
We use authentication and behavioral data to protect accounts. For instance, analyzing login patterns helps detect possible account takeover attempts (if someone logs in from an unusual location or device, we might require additional verification or alert the user). We also utilize NPI (like device info, transaction patterns) to help flag potentially fraudulent transactions, which can then be reviewed or stopped. All of this is part of delivering a secure service to the financial institution and end-user.
Operations and improvement:
Internally, we may use certain data in aggregate to improve system performance and plan capacity. For example, monitoring how many users log in during peak hours helps us ensure our infrastructure can handle the load. If we notice certain features are rarely used, we might research why and improve them – but that does not involve reading NPI, just the fact a feature is not used often. We may also simulate data in test systems (using anonymized or synthetic data) to improve new features without exposing real NPI inappropriately.
Data sharing & subprocessors organizations
In providing a comprehensive digital banking solution Candescent utilizes carefully selected third party organizations to provide in its base platform essential infrastructure and functionalities (e.g., cloud hosting, managed file transfer services, etc.). We understand that data sharing is a sensitive topic, especially in a highly regulated environment, so we want to clearly explain when and how we share NPI. Fundamentally: we do not share end user NPI with anyone outside of providing our service (and never for advertising or selling) unless required by law, and when we do share, we ensure it’s done securely and under strict agreements that uphold confidentiality and privacy. All such third-party organizations undergo a rigorous due diligence and security review process prior to engagement and on an annual basis. For more details on which third party organizations may access end-user NPI and under what circumstances, please click here.
Support for individual rights requests
While your end-users will contact you for privacy inquiries, we stand behind the scenes ready to support as needed. This includes assisting you in responding to verified requests from your customers to exercise their privacy rights under applicable U.S. laws (often called Data Subject Access Requests or DSARs). As a processor, we cannot act on data subject access requests without direction from you, the controller.
Data retention & disposal
Candescent follows a “data minimization and lifecycle management” approach when it comes to retaining NPI. Our data retention schedules are governed by our contractual agreements with you and applicable law. We retain NPI only for the period specified by you or as required to meet our shared legal and regulatory obligations. Upon the end of the retention period, data is securely and permanently destroyed in accordance with NIST 800-88 standards. Proper data retention and disposal not only reduce the risk of old data becoming a liability and aligns with privacy best practices but is also a requirement under regulations like the FTC’s Safeguards Rule.
Transfer of NPI
Candescent operates primarily in the U.S. but may from time to time utilize partners and suppliers outside of the U.S. and this may result in the transfer of NPI from the U.S. to other countries, which may have data protection laws that are different from the laws here. If the country or territory to which the NPI is transferred does not offer the same level of protection to the NPI, our policy is to require the same level of protection via the provisions in the contracts we enter into with the partners and suppliers. We are also a global company, which may cause NPI to be transferred to our direct affiliates in other countries, such as to assist with a customer support ticket.
Security program
Our privacy commitments are backed by a robust, independently audited security program. We maintain a SOC 2 Type II attestation across all products and also are examined by the FFIEC as a technology service provider. For products handling payment card information, we hold PCI DSS certification, and select products are ISO 27001 certified, demonstrating adherence to globally recognized information security standards. These independent validations reinforce our dedication to maintaining a world-class security posture. For additional details and access to our SOC 2, PCI DSS, and ISO 27001 reports, please visit our Security Trust Center.
Privacy contact
For any privacy-related inquiries or requests, please contact:
4 Concourse Pkwy Suite 400
Atlanta, GA 30328
privacy@candescent.com
To learn more please read our Privacy Policy.
Subscribe to updates
Issues or questions? Send us an e-mail at privacy@candescent.com