Compliance starts with us.

Infrastructure & Hosting

Comeply's platform is hosted on cloud infrastructure located within the European Union. We operate within a dedicated environment that provides logical isolation between customer data. Infrastructure is managed by an enterprise-grade cloud provider subject to ISO 27001 and SOC 2 certification. Specific provider details are available upon request under NDA for enterprise customers undergoing security due diligence.

Data Encryption

All data transmitted between your browser and the Comeply platform is encrypted in transit using TLS 1.2 or higher. All customer data stored on our infrastructure is encrypted at rest using AES-256 encryption. Encryption keys are managed and rotated on a regular schedule.

Access Controls

Access to the Comeply platform is protected by role-based access controls. Each user account is scoped to the permissions assigned by your organisation's administrator. We support multi-factor authentication and recommend it for all users. Internal Comeply staff access to customer data is restricted on a strict need-to-know basis and is logged for audit purposes.

Data Isolation

Customer data is logically isolated within our infrastructure. No customer can access another customer's data. Comeply employees access customer data only where required to deliver support and only with appropriate authorisation.

Subprocessors

Comeply uses a limited number of trusted subprocessors to operate the platform. These include our EU-based cloud infrastructure provider, Microsoft (for Clarity analytics on our marketing website only — not on the platform itself), and any communication tooling used for customer support. All subprocessors are subject to data processing agreements and are required to maintain appropriate security standards. A full list of subprocessors is available upon request.

Vulnerability Management

We conduct regular internal reviews of our codebase and infrastructure for security vulnerabilities. We maintain a responsible disclosure policy — if you believe you have identified a security vulnerability in Comeply, please report it to security@comeply.com and we will investigate and respond within 5 business days. We ask that you do not publicly disclose any potential vulnerability until we have had the opportunity to investigate.

Incident Response

Comeply maintains an internal incident response process. In the event of a confirmed security incident affecting customer data, we will notify affected customers within 72 hours of becoming aware of the breach, in accordance with our obligations under GDPR. Notifications will include the nature of the incident, data affected, and steps we are taking to address it.

Compliance & Certifications

Comeply operates in accordance with GDPR requirements applicable to a data processor and controller. We are working toward formal ISO 27001 certification. Enterprise customers requiring evidence of our security posture for vendor qualification or audit purposes are invited to contact us directly to discuss what documentation we are able to provide.