Security & Compliance

Trust Center

Security and compliance are foundational to everything we build. This page provides a transparent overview of our security architecture, compliance status, and data handling practices. We believe trust is earned through openness, not claims.

Security Architecture

Our security posture spans infrastructure, application, and operational layers. Each layer is designed with defense-in-depth principles.

Infrastructure Security

  • Azure-hosted with network isolation
  • TLS 1.2+ for all data in transit
  • Azure-managed encryption at rest (AES-256)
  • Redis with private endpoints
  • Azure Service Bus with managed identity
  • Automated infrastructure provisioning via pipelines

Application Security

  • OAuth 2.0 / OpenID Connect (OpenIddict)
  • Granular role-based access control (RBAC)
  • Multi-tenant data isolation
  • Input validation on all API endpoints
  • Structured logging with no PII in logs
  • Dependency scanning in CI/CD pipeline

Operational Security

  • Full audit trail for all entity changes
  • Centralized logging and monitoring
  • Automated alerting for anomalies
  • Principle of least privilege for all access
  • Regular access reviews
  • Incident response procedures documented

Compliance Status

We are transparent about where we are on our compliance journey. Below is the current status of each certification and regulation we are working toward.

Framework Status Target Details
GDPR In Progress H1 2026 Data processing agreements, consent management, and data subject rights workflows
SOC 2 Type I In Progress H2 2026 Security, availability, and confidentiality trust service criteria
SOC 2 Type II Planned H1 2027 Operational effectiveness of security controls over a sustained period
ISO 27001 Planned 2027 Information security management system certification

Data Handling

How we store, process, and manage your data. We are committed to minimizing data retention and maximizing your control over your information.

Data Residency

All data is hosted in Azure West Europe (Netherlands). We do not transfer data outside the EU unless explicitly configured by the tenant. Infrastructure services (MongoDB, Redis, Service Bus, Blob Storage) all reside in the same Azure region.

Data Retention

Data Type Retention
Message content 90 days (configurable per tenant)
Delivery metadata 1 year
Audit logs 2 years
Cost records 3 years

Data Processing

Message content is processed only for the purpose of delivery. We do not analyze, mine, or use message content for any purpose other than routing to the configured provider. Message variables are resolved at delivery time and are not stored separately from the rendered message.

Sub-processors

The following third-party services process data on behalf of DRIVEN2U CPaaS:

  • Microsoft Azure — Cloud infrastructure (West Europe)
  • Twilio — SMS, Email (SendGrid), WhatsApp delivery
  • Infobip — SMS, Email, WhatsApp delivery
  • MongoDB Atlas — Database hosting (Azure West Europe)

Responsible Disclosure

We take security vulnerabilities seriously. If you have discovered a security issue in DRIVEN2U CPaaS, we appreciate your help in disclosing it to us responsibly.

Please report security vulnerabilities to:

security@driven2u.com

We will acknowledge your report within 48 hours and aim to provide a resolution timeline within 5 business days. We request that you do not publicly disclose the vulnerability until we have had an opportunity to address it.

Questions About Security or Compliance?

If you need additional information about our security practices, compliance status, or data handling policies, our team is happy to help.

Contact Security Team
2026© Lepton Theme by Volosoft
About Privacy Contact