Security Built Into Every Layer

Your compliance data is among the most sensitive information your firm handles. We protect it with the same rigor you apply to your regulatory obligations.

AES-256

Encryption at rest

TLS

Encryption in transit

RBAC

8 granular access roles

Data Encryption

  • AES-256 encryption for all data at rest via Google Cloud managed encryption
  • TLS encryption (1.2/1.3) for all data in transit
  • Database connections encrypted with SSL certificates
  • Encrypted backups via Cloud SQL automated backup system

Access Controls

  • Role-based access control (RBAC) with 8 granular permission levels
  • Per-tenant data isolation — firm data is never shared across organizations
  • JWT-based authentication with secure token refresh
  • Password hashing with bcrypt and configurable complexity requirements
  • SSO/SAML integration available on Enterprise plans

Infrastructure

  • Hosted on Google Cloud Platform (GCP) with Cloud Run
  • Cloud SQL (PostgreSQL 16) with automated daily backups
  • All data stored in US-based data centers (us-central1)
  • Auto-scaling, multi-zone Cloud Run deployment
  • Redis-backed session caching and rate limiting via Memorystore

Audit Logging

  • Every user action logged with timestamp, user ID, and IP address
  • Audit logs scoped per tenant and exportable for exam preparation
  • Searchable and filterable audit trail for compliance officers
  • Persistent log storage for regulatory compliance

Session Management

  • JWT access tokens with 30-minute expiry
  • Refresh tokens with 7-day expiry and automatic rotation
  • 15-minute inactivity auto-logout
  • Token blacklisting on logout via Redis

Data Handling

  • Multi-tenant architecture with strict tenant-scoped database queries
  • Data export capabilities for portability and regulatory compliance
  • File uploads stored securely in Google Cloud Storage with access controls
  • Persistent data storage with tenant-scoped isolation

Security Contact

We welcome security inquiries from customers, prospects, and researchers. Every report is reviewed by our CISO and acknowledged within one business day.

Report a Vulnerability

Found a security issue? Please report it responsibly by email. Include steps to reproduce and any proof-of-concept details.

security@complianceapproved.com →

Vendor Security Questionnaire

Evaluating Compliance Approved for your firm? We can provide our security documentation under a mutual NDA.

Request documentation →

Responsible Disclosure

  • Give us reasonable time to investigate and remediate before public disclosure
  • Do not access, modify, or destroy data belonging to other customers
  • Do not perform testing that could degrade service availability for others
  • We will acknowledge your report within one business day and keep you updated on remediation

Our published security contact information follows RFC 9116 and is available at /.well-known/security.txt.

Ready to transform your compliance workflow?

Be among the first to experience AI-powered compliance technology.

Get Started FreeBook a Demo