Identity
- SSO via OIDC / SAML 2.0
- Mandatory MFA for admins
- Session expiry & idle timeout
- Service account scoping
Security & trustSOC 2 in progress · ISO 27001 aligned
The same primitives that protect your data stand up under an audit.
Compliance teams know what good controls look like. We built CompStack to the same bar, because the platform itself sits inside our customers' audit scope.
certifications & posturelast review · 2026-04
SOC 2 Type IIin progress · ETA Q3 2026
ISO 27001controls aligned · audit Q4 2026
GDPR & UK GDPRDPA & SCCs available
Data residencyEU · US · Africa
Pen-testannual + on major releases
Principles
What we won't compromise on.
The non-negotiables. Same on day one as on day a thousand.
Tenant isolation
Per-organization row-level isolation across requirements, documents, evidence, audits, CAPA, risk, and AI context. Verified at every query.
Role & site boundaries
Admin · manager · auditor · viewer. Plus site-level access boundaries, useful when one tenant runs many sites under different leadership.
Segregation of duties
Authors cannot approve their own documents. CAPA verifiers cannot be the CAPA owner. Enforced at the database level, not advisory.
Immutable audit log
Every scope change, approval, evidence acceptance, and AI action is recorded with actor, timestamp, and prior state. Append-only.
Encryption & signed access
TLS 1.3 in transit. AES-256 at rest. Time-limited signed URLs for evidence, no public file links, ever.
Data residency
Choose a region for your tenant: EU, US, or Africa. Cross-region replication is opt-in, not default.
Control catalog
The full list, organized.
A condensed view of the SOC 2 / ISO 27001-style controls we operate. Full evidence pack available under NDA.
Network
- TLS 1.3 with HSTS
- WAF in front of public endpoints
- Rate limiting on auth + AI endpoints
- Egress filtering on sub-processor traffic
Data
- AES-256 at rest, per-tenant keys
- Backups encrypted & tested quarterly
- DELETE → 30-day grace, then crypto-shredded
- PII inventory + retention rules per entity
Operations
- Change management with peer review
- Branch protection & required CI
- Pen-tests annually + on major changes
- Vendor review before sub-processor adds
Incident response
What happens when something breaks.
Our IR plan, in five sentences.
- 01DetectAlerts fire from logs, anomaly detection, customer reports, and external monitoring within 15 minutes of signal.
- 02TriageOn-call engineer assesses severity (S1–S4), opens an incident channel, and declares an incident commander.
- 03ContainWe stop the bleeding before we explain the cause. Affected tenants are notified within 4h for S1/S2.
- 04ResolveFix is deployed, verified, and reviewed. Status page reflects each transition in real time.
- 05Post-mortemBlameless post-mortem published to affected customers within 5 business days. Root-cause CAPAs tracked internally.
Sub-processors
Who we share data with, and why.
Each sub-processor has a contract that prohibits using your data for anything outside the stated purpose.
name
purpose
region
Supabase
Application database + storage
EU/US (per tenant)
Cloudflare
CDN, WAF, DDoS protection
Global edge
Anthropic
AI Copilot model inference
Per region; data not retained
OpenAI
Embeddings (vector index)
EU; data not retained
Resend
Transactional email
EU
Disclosure
Found a vulnerability?
We respond within one business day. Coordinated disclosure preferred. We credit researchers in our disclosure log.
security@compstack.io
PGP key on /pgp.txt. Encrypt anything sensitive.
No active bug bounty
We pay for impactful findings on a per-case basis. Hall of fame list maintained.
Out of scope
Social engineering, physical attacks, denial-of-service, and findings against staging without prior coordination.
Need the full pack?
SOC 2 progress, pen-test summaries, DPA & sub-processor list.
Available under NDA in 24 hours. We have a vendor security questionnaire pre-filled in CSV, saves your team a week.