We hold ourselves to the
standards we help you achieve.
Complify is a GRC platform. That means our own security posture is held to the highest standard — certified, tested, and transparent. Everything you need to complete your vendor due diligence is on this page.
Independently verified.
Every year.
How we protect your data.
- ✓AES-256 encryption at rest for all customer data
- ✓TLS 1.3 in transit — no older protocols accepted
- ✓Separate encryption keys per customer tenant
- ✓Hardware Security Module (HSM) for key management
- ✓Database-level field encryption for sensitive fields
- ✓SSO with SAML 2.0 and OIDC (Okta, Azure AD, Google)
- ✓MFA enforced for all Complify staff — no exceptions
- ✓Zero-trust network access for internal systems
- ✓Quarterly access reviews with automatic deprovisioning
- ✓Privileged access management (PAM) for production systems
- ✓AWS VPC with private subnets — no public-facing databases
- ✓WAF (Web Application Firewall) on all ingress points
- ✓DDoS protection via AWS Shield Advanced
- ✓Network segmentation between tenant environments
- ✓Automated intrusion detection (GuardDuty + custom SIEM rules)
- ✓Automated daily backups with 90-day retention
- ✓Point-in-time recovery for the last 35 days
- ✓Cross-region backup replication (EU-West → EU-Central)
- ✓RTO: 4 hours / RPO: 1 hour for full platform restoration
- ✓BCP tested quarterly — last test: January 2026
99.98% uptime.
Not a target — a record.
Elevated latency on Evidence Collection service — database query optimization required. All data integrity maintained.
Partial disruption to email notifications due to upstream Mailgun degradation. No data loss; notifications re-queued.
Scheduled maintenance window — database version upgrade. Customer notified 14 days in advance.
Security controls you control.
Enforce SSO via your corporate IdP and mandate MFA for all users. Complify supports SAML 2.0 and OIDC — integrate with Okta, Azure AD, Google Workspace, or any compliant provider.
Granular RBAC with custom roles. Define who can view, edit, approve, and export — at the platform level, module level, and individual document level. Full audit trail of every access decision.
Complete, immutable audit logs of all user actions, system events, and data access. Export to your SIEM in real time via webhook or API — Splunk, Datadog, Elastic, Microsoft Sentinel supported.
SaaS customers choose their primary data residency region at onboarding — EU (Ireland + Frankfurt), US (Virginia + Oregon), or APAC (Singapore + Sydney). Region cannot be changed post-onboarding without migration.
Export all your compliance data at any time in structured JSON or PDF format. No lock-in — your evidence, policies, risk registers, and audit logs are yours and always exportable on request.
Configure data retention policies per module. On contract termination, all customer data is securely deleted within 30 days with a deletion certificate provided. Compliant with GDPR Art. 17 right to erasure.
Talk to our security team.
For security questionnaires, penetration test reports, or due diligence reviews, contact our security team directly. We respond to all security inquiries within one business day.
Request a security review.
Our security team will walk you through Complify's controls, answer your questionnaire, and provide any documentation needed for your vendor due diligence process.