Trust Center

Everything your security team asks for.

One place for CarConnective's certifications, data protection, US & UK compliance, data residency and the documents your security and legal teams need to sign off. Our platform is engineered to the SOC 2 control set with its Type II audit underway; the connected-vehicle data layer is independently certified to ISO 27001 and ISO 27701.

SOC 2 Type II audit underwayISO 27001 + 27701 certified data layerUS + UK compliant by designData residency US · UK/EU
Certifications & attestations

Independently held, honestly stated.

We separate what the platform holds today from what the connected-vehicle data layer beneath it is already certified to — and we never claim a badge we haven't earned.

SOC 2 Type IIPlatform programAudit underway
ISO 27001Data layerCertified
ISO 27701Data layer · privacyCertified
GDPRUK + EUAligned
Documents

The paperwork, ready to go.

Public documents are linked below. Reports and lists that reference infrastructure detail are shared with your team under NDA — usually within a business day.

SOC 2 Type II report

On request

The full independent report, once our observation period completes. Interim status and control matrix available now.

Request

Data Processing Agreement

Available

Our standard DPA covering UK GDPR, EU GDPR and US data-protection obligations, with SCCs where required.

Read

Security whitepaper

On request

Architecture, encryption, tenant isolation, access control and incident response — the technical detail behind the posture.

Request

Subprocessor list

On request

The full list of infrastructure subprocessors, each reviewed against its own SOC 2 / ISO posture. Shared under NDA.

Request

Privacy Policy

Available

How we handle personal data across the platform and this site, for data subjects in the US, UK and EU.

Read

Penetration-test summary

On request

Summary letter from independent testing of the platform and the connected-vehicle data layer.

Request
Data protection

How the data is actually protected.

Encryption everywhere

TLS 1.2+ in transit, AES-256 at rest. Secrets live only in server-side environment values — never in the browser bundle.

Tenant isolation

Row-level security on every table; dealer-owned systems run in dedicated, physically isolated databases behind a control plane that never stores a tenant's keys.

Least-privilege access

Role-based access control, periodic access reviews, and a controlled change pipeline — every change through git → CI → deploy, no direct production edits.

Owner-consented vehicle data

OAuth-gated, owner-consented telemetry on a certified data layer. Title, odometer and diagnostics only — never owner PII. Unused data is purged.

Monitored & tested

Automated secret-scanning and IaC review on every change; annual third-party penetration testing on the platform and the vehicle data layer.

Immutable evidence

Consent, revocation and every data read append to a tamper-evident log — the answer already exists the moment an auditor, examiner or the ICO asks.

See the full control matrix
Residency & regional compliance

Your market's rules, your market's data.

Data can be processed in-region, and the same compliance engine maps from US statute to UK and EU regulation. Residency options are confirmed per engagement.

United States
United Kingdom & EU
USTCPA · DPPA · GLBA · FTC

Consent, DNC, quiet hours; vehicle title & odometer only; financial-data safeguards; advertising checks.

UK/EUUK GDPR · DPA 2018 · PECR · FCA · ICO

Lawful basis & data-subject rights; FCA Consumer Duty fair-value & commission evidence; TPS screening; records of processing, DPIAs and an audit trail.

Residency and processing locations are confirmed in the DPA for each engagement. Data-subject and access requests: hello@carconnective.com.

Security review

Send us your questionnaire.

Have a vendor security assessment, a DPA to paper, or a document request? Send it over — a founder routes it to the right place, usually within a business day.

Request Documents