title: Is Certification Center SOC 2 certified? category: Compliance Frameworks tags: soc 2, compliance, security questionnaire priority: Normal
Is Certification Center SOC 2 certified?
A straight answer: formal SOC 2 attestation is on our roadmap, not in hand today. We are an early, focused product, and we would rather earn a mid-market team's trust with a specific, honest answer than a logo we have not verified. This article explains where we are, and describes the security posture we can back up right now.
The honest answer on SOC 2
We do not hold a SOC 2 report today. It is on the roadmap. Until it lands, we will not imply otherwise or point you at a badge that does not exist.
What we do instead:
- We complete security questionnaires on request. Send us yours and we answer specifics.
- We give concrete answers, not badges. The sections below describe how your data is actually held, so a security reviewer can evaluate us on facts.
Your data is isolated by construction
| Control | How it works |
|---|---|
| A database per customer | Every customer gets their own database with its own SQL credentials — not a shared table with a tenant column. One customer's login cannot read another's, because it is scoped to a different database entirely. |
| Encrypted in transit and at rest | All traffic is HTTPS (HSTS, TLS). Data at rest sits on Azure SQL with transparent data encryption. |
| Credentials encrypted, never logged | Directory and service credentials you enter are encrypted at rest, decrypted only to make the connection you configured, and never written to logs or shown back to you in the clear. |
Read-only by default, write-back only when you turn it on
A connection to your directory can only read until you explicitly enable write-back on that specific connection. Discovery, certification, and reporting never need write access, so for most of what the platform does it simply cannot change anything in your environment. You can start with a read-only demo, move to a trial with sample data, connect a small test OU, and only enable write-back when you are ready — one connection at a time.
Who at the vendor can see your data
| Question | Answer |
|---|---|
| Who can access our tenant? | Routine operation does not require anyone on our side to read your tenant data. When support genuinely needs to act on your account, that access is break-glass and logged — a recorded action, not standing access. |
| Do you enforce MFA and least privilege on staff? | Yes. Staff access to the operations console requires multi-factor sign-in, and staff roles are scoped — a support agent does not get customer-administration powers. |
Backups and leaving
| Question | Answer |
|---|---|
| Can you recover a point in time? | Tenant databases run on Azure SQL with point-in-time restore, so a database can be rolled back to a moment within the retention window. |
| What happens to our data if we leave? | You can export while your tenant is active. On cancellation the tenant goes read-only for a grace period so you can still export, after which the tenant database is deleted. We do not hold your data hostage, and we do not keep it indefinitely once you are gone. |
Send us your security questionnaire
If your review process needs answers in a specific format, send the questionnaire to support@certification-center.com and we will complete it. We answer specifics rather than deflecting to a certification we do not yet hold.