Overview of Cleeng's PCI Compliance

Cleeng is certified as a Level 1 PCI DSS compliant service provider. PCI DSS (Payment Card Industry Data Security Standard) is the global security framework that governs how organizations handle payment card data.

Our certification means that Cleeng's systems and processes meet the highest level of payment security requirements. As part of our commitment to transparency, Cleeng provides an Attestation of Compliance (AOC) to customers who need to demonstrate third-party due diligence to their own auditors or payment processors.

Note: Cleeng's Attestation of Compliance (AOC) confirms that Cleeng's systems, processes, and controls meet PCI DSS requirements within Cleeng's defined scope. It does not extend to your own environment or replace your own compliance obligations.

What This Means for You

Depending on your role in the payment ecosystem, your compliance responsibilities differ. There are two main profiles:

Merchant of Record (MoR) Publishers

Non-Merchant of Record Publishers

You are registered as the primary merchant with your payment processor. You are responsible for:

Filing your own SAQ A
Listing third-party providers (including Cleeng) in Part 2f
Maintaining your own compliance posture as MoR

Cleeng acts as your merchant infrastructure provider. You can:

Rely on Cleeng's AOC for third-party due diligence
Share Cleeng's compliance documentation with your auditors
Contact Cleeng support if your auditor has specific questions

If You Don't Use Cleeng Merchant (You Are the Merchant of Record)

As a Merchant of Record, you are the primary point of accountability with your payment processor (such as Stripe). This means you must complete your own PCI self-assessment, most commonly a Self-Assessment Questionnaire A (SAQ A).

Your compliance responsibilities

Complete SAQ A (or the equivalent questionnaire provided by your payment processor)
List all third-party service providers in Part 2f of the questionnaire
Maintain up-to-date records of third-party AOCs
Ensure your own payment environment is assessed and documented

How Cleeng supports you

Cleeng's role in your payment environment is as an entitlement and subscription management provider. We are integrated into your checkout flow but operate outside the direct Cardholder Data Environment (CDE) managed by your payment orchestration layer and processor.

To support your SAQ A filing, Cleeng provides:

An Attestation of Compliance (AOC) confirming Cleeng's PCI DSS certification
This article and supporting documentation for your compliance team
Direct support from our Customer Success team for auditor queries

How to list Cleeng in your SAQ (Part 2f)

When completing Part 2f of your SAQ A (Third-Party Service Providers), list Cleeng as follows:

Provider Name	Cleeng
Category	Core Service Provider / Entitlement Management
Description	Integrated with checkout flow; manages subscription entitlements
AOC Available?	Yes — contact your Cleeng account manager to request a copy

Important: Cleeng's AOC confirms Cleeng's compliance. You must still complete your own SAQ A and any other assessments required by your payment processor. The AOC is evidence of Cleeng's compliance, not yours.

Understanding the RACI for your payment stack

If you use Cleeng alongside a payment orchestration layer (such as Primer) and a payment processor (such as Stripe), the compliance responsibilities across your stack are divided as follows:

Area	Who is responsible
Your PCI self-assessment (SAQ A)	You, as the Merchant of Record
Secure payment UI and card data transmission	Your payment orchestration provider (e.g. Primer)
Card data encryption and storage (vaulting)	Your payment processor (e.g. Stripe)
Entitlement management and subscription access	Cleeng (outside the direct CDE)
Listing third parties in Part 2f	You, as the Merchant of Record

Because your orchestration provider and processor are responsible for handling sensitive card data, your own compliance scope is reduced to a simplified self-assessment: you confirm the setup, rather than auditing the technical infrastructure yourself.

If You Use Cleeng Merchant

If Cleeng acts as your primary merchant infrastructure and you do not hold Merchant of Record status with a payment processor, your compliance obligations are more straightforward.

What you can rely on

Cleeng's Level 1 PCI DSS certification and AOC cover the payment processing infrastructure you use
You can share Cleeng's AOC directly with auditors, partners, or platforms that require third-party compliance evidence
Cleeng's Customer Success team can assist with auditor queries

What you may still need to do

Even without MoR status, your auditors or partners may ask for:

Evidence that your payment provider (Cleeng) is PCI compliant — satisfied by Cleeng's AOC
Confirmation of how card data is handled within your own systems — if you collect any payment data directly, you should review your own data handling processes
Documentation of your checkout integration — if you use Cleeng's hosted checkout, this is covered within Cleeng's scope

Tip: If you use Cleeng's hosted checkout or embedded payment UI exclusively, and do not capture or store any card data in your own systems, your own PCI compliance scope is minimal. Cleeng's AOC is typically sufficient for third-party due diligence in this scenario.

Frequently Asked Questions

Can I use Cleeng's AOC to satisfy third-party requirements if I'm not using Cleeng Merchant?

Yes. Cleeng's AOC is the correct document to demonstrate to your payment processor or auditor who is responsible for PCI DSS compliance. When you are your own Merchant of Record (i.e. you are not using Cleeng Merchant), you will handle most of the PCI DSS compliance either internally or via your payment provider. If Cleeng is the Merchant of Record (i.e. you are using Cleeng Merchant), Cleeng is fully responsible for PCI DSS requirements. You should request the AOC from your Cleeng account manager and share it as part of your third-party provider documentation.

Does Cleeng's AOC replace my own compliance obligations?

No. Cleeng's AOC covers Cleeng's environment only. If you are a Merchant of Record, you must still complete your own SAQ A and any other assessments required by your payment processor. Think of it this way: the AOC proves that Cleeng is compliant — but your processor also needs to know that you are compliant in your own environment.

What is SAQ A and do I need to complete it?

SAQ A (Self-Assessment Questionnaire A) is a simplified PCI compliance self-assessment designed for merchants who outsource all card data handling to certified third parties. It is the most common questionnaire for businesses using hosted or third-party payment solutions.

If you are a Merchant of Record with Stripe (or another processor), you will typically be required to complete SAQ A. Contact your payment processor for the specific form. Cleeng and Primer can be consulted for the third-party provider section (Part 2f).

Where can I find Cleeng's Attestation of Compliance (AOC)?

Cleeng's AOC is available on request. Please contact your Cleeng account manager or reach out to Cleeng Customer Success with your request.

Note: the AOC is sent directly and is not hosted publicly, to ensure it is shared only with authorized parties.

I've been asked for a RACI matrix for PCI compliance. What should I share?

If you do not use Cleeng Merchant (i.e. you remain your own Merchant of Record), Cleeng can provide a standard RACI matrix outlining each party's responsibilities. Please contact your Cleeng account manager or Customer Success and request the PCI Compliance RACI Matrix. For bespoke architectures, our Solutions Engineering team can assist with a tailored version.

Does Cleeng store or process card data?

No. Cleeng does not store or process raw card data. Card data is handled exclusively by your payment orchestration provider (e.g. Primer) and payment processor (e.g. Stripe), both of which are PCI DSS certified. Cleeng's role is entitlement management — we manage access to subscriptions and content, and are integrated into the checkout flow, but we sit outside the direct Cardholder Data Environment (CDE).

Need more help? You can reach Cleeng Customer Success or contact your dedicated account manager. For urgent compliance requests ahead of an audit or questionnaire deadline, please flag this clearly in your message so we can prioritize accordingly.