ComplyAgent
Sign up
Security & trust

Compliance software, held to its own standard.

You're trusting us with a map of where your business uses AI. Here is exactly how that data is stored, protected, and kept under your control.

EU data residencyEncrypted in transit & at restExport & delete on demand

Data residency & hosting

  • Your inventory, classifications, and documents are stored in Postgres hosted in the EU (Supabase, Ireland / eu-west-1).
  • The application runs on Vercel. Product analytics (PostHog) and error monitoring (Sentry), when enabled, are configured to EU regions.
  • Where a sub-processor is outside the EEA, transfers are covered by Standard Contractual Clauses.

Encryption

  • All traffic is encrypted in transit with TLS. Data at rest is encrypted by our database provider.
  • Third-party access tokens (for example the read-only GitHub token used by code-scan discovery) are additionally encrypted with AES-256-GCM, using a key held outside the database.
  • Secrets live in environment configuration, never in the source repository.

Tenant isolation & access

  • Every record belongs to one organisation. The active organisation is resolved from the authenticated session on each request, and data queries are scoped to it.
  • Members only ever see their own organisation's data. Role is derived from your identity provider, not self-asserted.

Authentication

  • Authentication is handled by Clerk. We never store your password.
  • Single sign-on and multi-factor authentication are available through Clerk.

Privacy of AI processing

  • Risk classification and document drafting can use a large language model (Anthropic). The provider does not train on your data, and transfers are covered by SCCs.
  • A deterministic, rules-based classifier runs as the baseline and fallback, so the product works even when the AI provider is unavailable.

Your data, your control

  • Export everything your organisation holds as structured JSON at any time (GDPR portability).
  • Delete your organisation and its data from Settings. A Data Processing Agreement is available, and our sub-processors are listed publicly.

Monitoring & data minimisation

  • Error monitoring is configured not to capture personal data by default.
  • We collect the minimum needed to run the service and to show you your compliance posture.

What we haven't done yet

We're an early-stage product and we'd rather be straight with you than imply more than we've earned. A SOC 2 Type II audit and an independent penetration test are on our roadmap but not yet complete. When they are, we'll publish them here.

See our sub-processors, DPA, and privacy policy for the full detail.

Report a vulnerability

Found something? We want to hear about it. Email us and we'll respond promptly. Please give us reasonable time to fix an issue before disclosing it publicly.

admin@complyagent.eu