SOC 2 Type II
Independent audit covering security, availability, processing integrity, confidentiality, and privacy controls. Continuous monitoring across the platform.
Ceburu is engineered for the controls, audits, and contracts that regulated industries actually require. SOC 2 Type II certified. HIPAA compliant. ISO 27001 in flight. Single-tenant and on-prem deployment options. Encryption in transit and at rest. The work to make procurement painless is done — so your evaluation isn't.
Independent third-party attestations covering the controls, data-handling, and infrastructure that enterprise procurement requires.
Independent audit covering security, availability, processing integrity, confidentiality, and privacy controls. Continuous monitoring across the platform.
Aligned with HIPAA Security and Privacy Rules. BAA available on request. Designed for clinical infrastructure, EHR integrations, and healthcare operational data.
Active certification process for the international standard for information security management systems. Controls implemented; audit period underway with expected completion in Q3 2026.
Controls baked into the platform — not bolted on later. Everything below is enabled out of the box for every Ceburu deployment.
AES-256 at rest. TLS 1.3 in transit. Customer-managed keys (BYOK) supported for enterprise tiers.
SAML 2.0 and OIDC SSO. SCIM provisioning. MFA required for all admin actions. Okta, Azure AD, Google Workspace supported.
Granular RBAC across users, teams, services, and data. Least-privilege by default. Approval workflows for sensitive operations.
Tamper-evident audit logs for every administrative and data action. SIEM-exportable. Retention configurable per compliance regime.
SaaS by default. Dedicated single-tenant deployments for regulated industries. Fully air-gapped on-prem available for the most sensitive environments.
Annual third-party penetration testing. Continuous vulnerability scanning. Production change-management review for all critical deploys.
Ceburu is built to respect data residency, processing limitations, and the contractual realities of doing business across borders.
GDPR & CCPA-ready. Ceburu processes customer data as a Data Processor under GDPR and a Service Provider under CCPA/CPRA. A Data Processing Agreement (DPA) is available on request and can be executed as part of standard procurement.
Data residency. Customer data is processed in the AWS region you select. U.S. (us-east-1, us-west-2) and EU (eu-west-1, eu-central-1) regions available at GA; additional regions on the roadmap.
Minimum necessary. Ceburu collects only the telemetry needed to operate the platform. No customer end-user PII is required for product operation. Configurable data-retention windows per workspace.
Sub-processors. A current list of all third-party sub-processors, their roles, and processing regions is available below. We notify customers in advance of any material change.
Request DPAWe share the full SOC 2 Type II report under a standard NDA. Most security reviews are unblocked in 24 hours.
The questions we hear most often from security teams, procurement, and IT leaders evaluating Ceburu.
No shared inboxes, no compliance theater. The team that owns security responds directly.
DPAs, BAAs, vendor questionnaires, audit reports, and procurement-stage security reviews.
security@ceburu.comSecurity researchers: please report vulnerabilities to security@ceburu.com. We acknowledge within 24 hours and credit researchers in our security advisories.
Report a vulnerability