Everything your security team asks for.
One place for CarConnective's certifications, data protection, US & UK compliance, data residency and the documents your security and legal teams need to sign off. Our platform is engineered to the SOC 2 control set with its Type II audit underway; the connected-vehicle data layer is independently certified to ISO 27001 and ISO 27701.
Independently held, honestly stated.
We separate what the platform holds today from what the connected-vehicle data layer beneath it is already certified to — and we never claim a badge we haven't earned.
The paperwork, ready to go.
Public documents are linked below. Reports and lists that reference infrastructure detail are shared with your team under NDA — usually within a business day.
SOC 2 Type II report
On requestThe full independent report, once our observation period completes. Interim status and control matrix available now.
RequestData Processing Agreement
AvailableOur standard DPA covering UK GDPR, EU GDPR and US data-protection obligations, with SCCs where required.
ReadSecurity whitepaper
On requestArchitecture, encryption, tenant isolation, access control and incident response — the technical detail behind the posture.
RequestSubprocessor list
On requestThe full list of infrastructure subprocessors, each reviewed against its own SOC 2 / ISO posture. Shared under NDA.
RequestPrivacy Policy
AvailableHow we handle personal data across the platform and this site, for data subjects in the US, UK and EU.
ReadPenetration-test summary
On requestSummary letter from independent testing of the platform and the connected-vehicle data layer.
RequestHow the data is actually protected.
Encryption everywhere
TLS 1.2+ in transit, AES-256 at rest. Secrets live only in server-side environment values — never in the browser bundle.
Tenant isolation
Row-level security on every table; dealer-owned systems run in dedicated, physically isolated databases behind a control plane that never stores a tenant's keys.
Least-privilege access
Role-based access control, periodic access reviews, and a controlled change pipeline — every change through git → CI → deploy, no direct production edits.
Owner-consented vehicle data
OAuth-gated, owner-consented telemetry on a certified data layer. Title, odometer and diagnostics only — never owner PII. Unused data is purged.
Monitored & tested
Automated secret-scanning and IaC review on every change; annual third-party penetration testing on the platform and the vehicle data layer.
Immutable evidence
Consent, revocation and every data read append to a tamper-evident log — the answer already exists the moment an auditor, examiner or the ICO asks.
Your market's rules, your market's data.
Data can be processed in-region, and the same compliance engine maps from US statute to UK and EU regulation. Residency options are confirmed per engagement.
Consent, DNC, quiet hours; vehicle title & odometer only; financial-data safeguards; advertising checks.
Lawful basis & data-subject rights; FCA Consumer Duty fair-value & commission evidence; TPS screening; records of processing, DPIAs and an audit trail.
Residency and processing locations are confirmed in the DPA for each engagement. Data-subject and access requests: hello@carconnective.com.
Send us your questionnaire.
Have a vendor security assessment, a DPA to paper, or a document request? Send it over — a founder routes it to the right place, usually within a business day.
