Compliance One helps companies prove they handle data responsibly, so it would be a bad look if we didn't hold ourselves to the same standard. This policy explains, in plain language, what personal data we collect, why, where it lives, and the control you have over it. No dense legalese, no buried surprises.
We collect the minimum we need to run our website and platform. We never sell your personal data. You choose which region your data is stored in — the EU, the US, or Asia-Pacific. We protect it with encryption, strict access controls, and continuous monitoring. And you can ask us at any time to show you, correct, export, or delete your data.
The rest of this page is the detail behind those promises.
This policy covers people who visit complianceonecloud.com, people who contact us or request a demo, and people who use the Compliance One platform through an organisation that subscribes to it. Where an organisation uploads its own data to the platform, that organisation is the controller of that data and we act as its processor — the Data Processing Addendum governs that relationship in detail.
We group the data we collect into three buckets, so it's clear what comes from where:
We only use personal data for reasons you would reasonably expect:
If you're in the EU, UK, or another region with GDPR-style rules, we rely on a specific legal basis for each use:
This is the part people care about most, so we'll be specific. The platform runs on Amazon Web Services (AWS). When your organisation signs up, it chooses a data region, and its evidence is stored there in its own isolated storage bucket — not pooled in a shared table. We support three regions:
Enterprise customers can go a step further and bring their own AWS S3 storage, keeping their evidence entirely within their own account and under their own custody. Some operational and website data (like analytics and logs) may be processed in other regions by our sub-processors — we list them, and their roles, on our Sub-processors page.
We hold our own security programme to the same six frameworks we help our customers with — ISO 27001, SOC 2, ISO 42001, HIPAA, PCI DSS, and NIS2. In practice that means:
We do not sell personal data, and we don't share it for anyone else's advertising. We share it only with a small set of vetted sub-processors who help us run the service — for example AWS for hosting, Cloudflare for bot protection, and an email provider for transactional messages. Each is contractually bound to protect your data and use it only on our instructions. The full list, and what each one does, is on our Sub-processors page. We may also disclose data where the law genuinely requires it, and if we're ever part of a merger or acquisition, we'll tell you before your data becomes subject to a different policy.
Because we offer regional storage, you can keep personal data in your chosen region. Where data does cross borders — for example when a support engineer in one country helps with an account in another — we rely on appropriate safeguards such as the EU Standard Contractual Clauses, and we minimise what's transferred.
Our website uses a small number of cookies and similar technologies to keep the site working, remember your preferences, and understand aggregate usage so we can improve it. We keep this light and non-invasive, and we don't use cookies to build advertising profiles of you.
We keep personal data only as long as we need it, then delete or anonymise it. For example: demo-request messages are kept while we follow up and for a reasonable period after; customer content is kept for the life of the subscription and then deleted or returned as set out in the DPA; and billing records are kept for the period tax and accounting law requires.
Depending on where you live, you have rights over your personal data — and we honour them regardless of where you're based, because it's the right thing to do. You can ask us to:
Compliance One is a tool for businesses, not children. We don't knowingly collect personal data from anyone under 16, and if we learn we have, we'll delete it.
If we make a meaningful change, we'll update the date at the top and, for significant changes, let affected users know rather than quietly editing this page. The version you're reading was last updated on the date shown above.
Questions about your data, or want to exercise one of the rights above? Email us at hello@complianceonecloud.com and a real person will help.