Trust & Security

How we protect your inventory — and what we deliberately don't do.

We're not in your data path. We don't read content. The architecture is a deliberate choice, and this page is where we make every boundary explicit.

No content inspectionEndpoint-only telemetryTenant-isolated by default

Architectural commitments

Five boundaries we don't cross.

These are not aspirations. They're shape-of-the-product decisions — what CenseCloud can never do because of how it's built, not because of a policy that might change.

Network

No proxy in your traffic path

We are not a SaaS proxy. Traffic to your business applications doesn't route through CenseCloud. No latency added, no point of failure introduced.

Interception

No MITM, no inline decryption

We don't decrypt TLS. We don't terminate SSL. There is no man-in-the-middle on user traffic — by design, not by promise.

Prod servers

No agents on prod servers

The endpoint agent runs on user devices — laptops and workstations. Never on production servers, databases or domain controllers. Your critical infrastructure stays untouched.

Telemetry

Endpoint-only signals

Inventory is built from the user's own endpoint and browser — what they install, what they open, what they grant. Approved signals leave; payloads don't.

Content

No content inspection

We capture the action and the target's risk score — not the message body, not the file contents. CenseCloud is not a DLP.

Data — what and what not

We collect the action and the target. We don't read the content.

B2B SaaS governance often blurs into surveillance. The line we draw is concrete: we observe what was done and where it was sent, never what was inside it.

What we collect

Signals required to govern.

User action — App opened, paste attempt blocked, file-share blocked, page visited — the fact of the action, with timestamp.
Target risk score — The destination SaaS or AI tool's classification: AI-category, personal-account, foreign jurisdiction, no-SSO. Score only — not the page body.
Identity attributes — AD username, OU, group membership, lastLogon (MAX across DCs). Pulled from your directory; never enriched with external profiles.
OAuth grants — Third-party application consents in your Entra/Workspace tenant — app name, scopes, granting user, timestamp.
Endpoint inventory — Installed applications, browser extensions, IDE extensions. Names and versions — not the data inside any of them.
Licence and spend — Where you connect finance integrations: subscription line, seat count, renewal cycle. We see the contract, not the content of usage.

What we don't collect

Signals we go out of our way to avoid.

Message and file content — We never read email bodies, chat messages, document contents, or pasted text. The action is captured; the payload is not.
Keystrokes / clicks — No keylogging, no click-tracking. The endpoint agent observes process and event metadata, not user input.
Screen contents — No screen capture, no screenshot streams. Even when policy fires (block, coach), we don't transmit what was on screen.
Personal identifiers — We don't extract national IDs, payment cards, phone numbers or other PII fragments from traffic or content. We don't need them.
Database rows — We don't connect to your application databases. CenseCloud reads its own inventory, not your business records.
Browsing history at large — Outside known SaaS and AI categories, browsing isn't recorded. Visiting a news site is invisible to us.

Compliance frameworks

We help you prove compliance — we don't claim certifications we don't hold.

CenseRisk maps every risk to the frameworks your auditors actually use. That's a product capability, not a company badge — and we keep the distinction explicit.

What this section is honest about

CenseCloud holds no third-party security certification at this time. The frameworks listed below describe what our product reports against, so your team can prepare evidence — not certifications carried by the company itself.

KVKK

Reporting

Dedicated risk layer in the engine. RoPA-grade export, special-category data flagging, cross-border transfer view, DSR support.

Anchor · KVKK Art. 12 · VERBİS

GDPR

Reporting

Article 30 records of processing, lawful basis review surface, third-country transfer markers — all from the same inventory.

Anchor · GDPR Art. 30

ISO 27001

Reporting

Asset inventory (A.5.9), supplier security (A.5.19–21), access control and review (A.5.15–18). Evidence pulled from the live inventory.

Anchor · Annex A 5.9 · 5.15–18 · 5.19–21

NIST CSF 2.0

Reporting

Mapping to GOVERN, IDENTIFY (ID.AM, ID.SC) and PROTECT (PR.AA) function categories. Built for the post-2.0 framework, not retrofitted.

Anchor · GV · ID.AM · ID.SC · PR.AA

EU AI Act

Reporting

Risk tagging on AI applications, governance ladder (sanctioned · monitored · conditional · blocked), evidence trail per AI inventory item.

Anchor · Title III · GPAI obligations

Tenant isolation

Per-firm separation by construction.

Every firm is its own tenant inside CenseCloud. Cross-tenant access is not configurable away — there is no toggle that lets one firm see another's inventory.

Per-firm tenant model

Each customer gets a dedicated tenant context. Every query, every API call carries the firm identifier and is filtered at the data layer.

Reviewed isolation

Tenant separation is reviewed in our internal end-to-end audits. SQL injection, IDOR and cross-tenant access vectors are part of the regression checklist.

Role-based access

Admin / viewer / auditor roles per tenant. Module-level scoping for read versus action. Sensitive operations gated to the admin role.

Audit-immutable trail

Policy changes, access reviews and closure events are written to an audit log that the dashboard cannot retroactively edit.

Sub-processors

Vendors who process data on our behalf.

Under KVKK and GDPR, we disclose the third parties that touch tenant data when CenseCloud operates. The list below is current. We notify customers before adding a sub-processor that handles tenant data.

Vendor

Purpose

What it sees

Render

Hosting · region available on request

PurposeApplication hosting and database for the CenseCloud product (CenseRisk + CenseCost). Backups and operational monitoring run here.

What it seesTenant inventory data, identity attributes, telemetry events.

Vercel

Marketing site · global CDN

PurposeStatic hosting for censecloud.com (this website). No customer product data is processed here.

What it seesGoogle Analytics 4 (Consent Mode v2) for traffic analytics — no cookies and no personal data if you decline; anonymous aggregate counts only. See /privacy for details.

Google Workspace (Gmail SMTP)

Email · US/EU edges

PurposeOutbound transactional email (notifications, password resets, invitations). The SMTP transport for the product's notification pipeline.

What it seesRecipient address, subject and notification body for the messages CenseCloud sends.

TCMB (Central Bank of Türkiye)

Public API · Türkiye

PurposeFX rate ingestion for multi-currency display in CenseCost (USD base, TRY/EUR display).

What it seesPublic exchange-rate data only — no tenant data is sent to TCMB.

This list is illustrative of the current architecture and may change. For the most current sub-processor list — including DPA terms — talk to us via the contact link below.

Security disclosure

Found something? Tell us first.

If you think you've found a vulnerability in CenseCloud, write to us before publishing. We commit to a defined response timeline and to crediting you in the fix where appropriate. Coordinated disclosure makes the product safer for everyone.

Report a vulnerability →

What we commit to

Acknowledgement within 2 business days of your report.
Triage and severity assessment within 7 business days.
Credit in the changelog for confirmed reports, where you want it.

Want the DPA, the sub-processor list or a security review?

We send our DPA, current sub-processor list, and security questionnaire response by email on request. No portal, no friction.

Request the security pack →Read about the company