Security

We hold ourselves to the same bar we help you meet.

We build a compliance platform. It would be a little awkward if we didn't take security seriously. Here's what we do.

EncryptionTLS 1.2+ in transit. AES-256 at rest. Per-tenant key isolation.
Access controlRole-based access, MFA enforcement, SSO on enterprise plans, least-privilege admin.
Audit loggingEvery change to controls, evidence, and policies is captured in an immutable audit log.
Backups & DREncrypted, geo-redundant backups with regularly tested restore procedures.
Vulnerability mgmtContinuous dependency scanning, periodic penetration testing, responsible disclosure.
SubprocessorsVetted vendors only. Current list available on request under NDA.

Frameworks we align to

ComplyAura's internal program is built around the same frameworks we support in product — including SOC 2 Type II, ISO 27001:2022, NIST CSF v2.0, and CIS Controls v8 — with mappings to GDPR and applicable privacy regulation.

Reporting a vulnerability

If you believe you've found a security issue in ComplyAura, please email security@complyaura.com. We acknowledge reports within one business day and work with researchers in good faith.

Trust documentation

SOC 2 reports, penetration test summaries, and our subprocessor list are available to customers and prospects under NDA. Request access →

← Privacy policy