ceven

Trust at Ceven

Security you can verify, not just trust.

Ceven processes procurement contracts, employment records, and payment metadata for every customer on the platform. The controls below describe how we protect that data, how we respond when something goes wrong, and where we are on the road to independent certification. Every control is reviewed on change and at least annually.

Certification status

SOC 2 Type I

In progress

Policy docs complete; independent audit scheduled

SOC 2 Type II

Planned

Post-Type I; requires 6-month observation window

GDPR compliance

In place

Data subject rights and processor agreements in place

CCPA compliance

In place

California resident rights honored per statute

HIPAA

Planned

BAA framework ready; activated when PHI enters scope

Infrastructure security

Protecting the network, servers, and data stores that Ceven runs on.

Organizational security

How people access and work with Ceven's systems.

Product security

Controls baked into how the software is built and shipped.

Internal security procedures

Policies, responsibilities, and response playbooks.

Data and privacy

What we collect, how long we keep it, and how we delete it.

What we collect

The minimum fields required to operate the platform, grouped by purpose. The full retention policy lives in our Privacy Policy.

Data
Purpose
Retention
Account profile
Authentication, role assignment, preferences
Life of account + 30 days after deletion request
Email and phone
Login, password reset, notifications, support
Life of account + 30 days
Vendor and contract data
Procurement workflows, negotiation, analytics
Life of account + 7 years (tax and audit holds)
Payment metadata
Subscription billing via Stripe
7 years (Stripe processes and stores card data)
Employee and HR data
HR workflows, payroll, compliance reporting
Life of account + 7 years (IRS and DOL requirements)
Product telemetry
Error diagnostics, capacity planning, abuse detection
90 days, then aggregated

Subprocessors

Third parties that process customer data on Ceven's behalf. We require every subprocessor to sign a data processing agreement and meet the controls in our vendor management policy.

Subprocessor
Service
Region
Stripe
Subscription billing and invoice payment
United States
Anthropic
Natural-language reasoning
United States
OpenAI
Natural-language reasoning (fallback)
United States
Vapi
Voice AI for telephony workflows
United States
Cloudflare
DNS, WAF, and CDN
Global
Vercel
Frontend hosting
Global
Nocix
Primary API and database hosting
United States
Resend
Transactional email
United States
Google Workspace
Business email and calendar
United States

Responsible disclosure

If you find a security issue, report it to security@ceven.io. We acknowledge every report within two business days and fix critical issues the same day. Give us reasonable time to investigate before disclosing publicly.

Full policy·security.txt

Contact

Security questions: security@ceven.io. Compliance documentation requests: compliance@ceven.io. Privacy and data subject requests: privacy@ceven.io.