Trust & Security

How we protect your data.

Complai is a compliance product, so we hold ourselves to the bar we help our customers hit. This page documents what we do today, what's in progress, and the direct contact path for security questions.

All systems operational Live status →

Encryption, everywhere

TLS 1.2+ in transit and AES-256 at rest on every primary store. No customer data leaves an encrypted channel.

Least-privilege access

Employee access to production data is role-scoped, audit-logged, and reviewed quarterly. MFA required for all admin surfaces.

Short sub-processor list

We use a deliberately small set of vendors. Every one is listed below with what it processes and a link to its DPA.

01 Certifications & frameworks

✓ GDPR-aligned ✓ UK GDPR SOC 2 Type I — in progress ISO 27001 — planned 2026 H2

We operate our own platform against the same control families we help our customers measure themselves on. Our active SOC 2 Type I audit is tracking to close by end of Q3 2026; ISO 27001 readiness work begins immediately after.

If you need a current security questionnaire response, vendor-risk-assessment (VRA) package, or copies of audit artefacts, email security@mycomplai.com and we'll respond within two business days.

02 Sub-processors

The full list of third parties that process customer data on our behalf. We notify customers of material changes (additions, region changes) at least 30 days before they take effect.

Provider	Purpose	Data region	DPA
Supabase	Primary database, authentication store, object storage	EU / US (configurable)	DPA
Clerk	End-user authentication and session management for the dashboard	US	DPA
Anthropic (Claude API)	AI generation of questionnaire answers, policies, and gap reports	US	Privacy
Stripe	Payment processing and subscription management	US / EU	DPA
Resend	Transactional email delivery	US	Privacy
Vercel	Application hosting, edge delivery, and serverless compute	Global edge (primary: US-East)	DPA

03 Data handling

What we collect: the business email, company name, and answers you or your colleagues submit through the Complai dashboard. We do not collect payment card numbers, government IDs, or sensitive categories of personal data.

Where it lives: all primary customer data is stored in Supabase Postgres. We prefer EU project regions where available.

How long we keep it:

Assessment data and generated reports — 3 years from submission, then deleted or anonymised.
Account metadata — duration of active account plus 12 months.
Payment records — 7 years (tax and financial-record obligations).
Application and audit logs — 90 days, then automatically purged.

Training. Customer submissions are never used to train third-party foundation models. Anthropic's API commitment not to train on customer data is confirmed in writing in their commercial terms.

04 Security controls

Encryption in transit: TLS 1.2+ only; HSTS with preload + includeSubDomains.
Encryption at rest: AES-256 on all managed stores (Supabase, Vercel).
Authentication: dashboard users authenticate via Clerk. MFA available; SSO (SAML/OIDC) offered on Growth plans.
Employee access: production access is role-based, requires MFA, and every admin action is logged.
Network: we do not run our own infrastructure. Compute and storage run on Vercel and Supabase respectively, inheriting their network hardening.
Vulnerability management: dependency scanning on every merge (GitHub/Dependabot); patched within 7 days for high/critical CVEs.
Change management: 100% of code changes go through pull request, CI (tests + lint + build), and a second reviewer before merging to master.
Backups: daily Supabase point-in-time backups, 7-day retention. Quarterly restore drills.
Secrets: no credentials committed to source; all secrets live in Vercel environment variables with scoped access.

05 Incident response

Our incident response runbook is triggered by either an internal alert (error-rate spike, dependency check failure on /api/health) or an external report to security@mycomplai.com.

Response commitments:

Acknowledge security reports within 24 hours.
Triage and assign severity within 48 hours.
Notify affected customers of confirmed data incidents within 72 hours, per GDPR Article 33.
Provide a written post-mortem within 14 days of resolution for any incident with customer impact.

Responsible disclosure. If you believe you've found a vulnerability, please email us rather than filing a public issue. We do not currently run a paid bounty programme, but we credit reporters with permission and commit to not pursuing legal action against good-faith research.

06 AI & data use

Complai uses Anthropic's Claude API to generate questionnaire answers, policy drafts, and gap analyses. Important commitments:

No training on your data. Anthropic's commercial terms prohibit training on API inputs and outputs.
No cross-tenant bleed. Every prompt is constructed from a single tenant's data; we do not batch prompts across customers.
Human-in-the-loop expected. AI outputs are recommendations, not assertions. Every generated policy and answer is flagged for review before use with a third party.
Auditability. We retain prompt/response pairs against your account so you can reproduce or re-audit any AI-generated output.

07 Availability & status

Our public status page lives at app.mycomplai.com/status. It is driven by a live health probe against our backend API and updates on every request — no cached dashboards.

For programmatic monitoring, the JSON endpoint is app.mycomplai.com/api/health: returns 200 with { status: "ok" } when healthy, 503 when any dependency is degraded. Safe to poll at any frequency; no authentication required.

08 Contacts

Security reports

Vulnerability disclosure, suspected incident, or general security questions.

security@mycomplai.com

Privacy & GDPR

Data subject requests, DPA enquiries, sub-processor notifications.

privacy@mycomplai.com