Trust posture for a data substrate.
CCEN holds the operational data your business runs on. The way we treat it matters. Below is how the platform is built and how we hold ourselves to it.
What we have, in plain English.
SOC 2 Type II
Audited annually by Schellman against the AICPA Trust Services Criteria. Reports available under NDA via security@ccen.co.
Encryption in transit and at rest
TLS 1.3 in transit. AES-256 at rest. Customer-scoped KMS keys for sensitive surfaces (PII, payment metadata).
Single sign-on, SCIM
Clerk-backed SAML and OIDC SSO on every tier. SCIM provisioning on Scale and Platform. Just-in-time provisioning supported.
Immutable audit trail
Every mutation records actor, source app, scope, timestamp, IP, and result. Append-only. Exportable to your SIEM.
App isolation
iframe per app, per-subdomain origin, strict CSP, COOP and COEP. Apps share no JS context with the host or each other.
Data residency
US, EU, and AU regions on Scale and Platform. Customer DPAs and sub-processor lists on request.
Backup and recovery
Continuous Postgres replication. Point-in-time restore to 30 days. Quarterly disaster-recovery drills documented in the SOC 2 evidence pack.
Monitoring and alerting
On-call engineering rotation. Alert on anomalous auth, scope violations, and rate-limit anomalies. Customer notification within 72 hours of confirmed incident.
From ingest to deletion certificate.
Your data passes through seven stages on CCEN. Each stage has a clear owner, a clear audit hook, and a clear way out.
- 01Ingest
Channel sync, EDI, manual upload. TLS 1.3 in transit. Schema validated at the boundary.
- 02Persist
AES-256 at rest. PII encrypted with customer-scoped KMS keys. Postgres + ClickHouse + Typesense, all encrypted.
- 03Access
RLS-backed scopes for every entity. Per-app, per-user enforcement. Every read recorded.
- 04Mutate
Audit-trailed by default. Actor, source app, scope, timestamp recorded for every write.
- 05Replicate
Cross-region replication with at-least-once delivery. Point-in-time recovery to 30 days.
- 06Export
Parquet snapshots to your S3 bucket. DuckDB-native query layer. EDI, SFTP, API, webhooks. Full filesystem download on request.
- 07Retain or delete
Configurable retention windows per entity. Hard-delete flow that propagates through replication and exports. Documented destruction certificate.
iframe-grade isolation, non-negotiable.
Third-party apps run inside iframes served from per-app subdomains. They share no JS context with the host or with each other. We rejected Shadow DOM (style-only encapsulation), Web Workers (no DOM), and WASM UI sandboxes (still renders through host JS).
- Per-app subdomain (origin-based isolation, scoped cookies, per-app CSP)
- Sandbox attribute with conservative defaults (allow-scripts, allow-same-origin, allow-forms)
- Strict per-app Content Security Policy
- Cross-Origin-Opener-Policy and Cross-Origin-Embedder-Policy
- Per-install tokens, scoped to (app, merchant, install)
Frameworks we hold ourselves to.
Audited annually by Schellman.
Standard contractual clauses, EU data residency on Scale.
Consumer rights flows wired into the customer record.
We don't store cardholder data. Stripe and Adyen handle it.
Available on Platform tier with BAAs.
Targeted certification Q4 2026.
Found something? Tell us.
We run a coordinated disclosure program. Report any vulnerability to security@ccen.co with reproduction details. We acknowledge within one business day, fix critical issues within seven days, and credit reporters who want public credit.
Bounty range: $250 to $25,000 depending on severity. We follow CVSS 3.1.
For your security team.
Have a security questionnaire? We’ve seen it.
Send your standard SIG, CAIQ, or custom questionnaire. We’ll fill it out and return it within one business day on Scale and Platform tiers.