Home

Security Policy

Last updated: 16 July 2026

Security isn't a feature we bolt on — it's the whole point of what we sell, so we hold our own house to the standard we help customers reach. This page is an honest, plain-language overview of how we protect the platform and your data. Enterprise customers can request our detailed security documentation and reports under NDA.

We practise what we preach

Our own security programme is built to comply with all six frameworks we support — ISO 27001, SOC 2, ISO 42001, HIPAA, PCI DSS, and NIS2. We use our own platform to run it, which means the controls below aren't aspirational slides; they're evidenced and continuously monitored.

Data encryption

All data is encrypted in transit using TLS, and encrypted at rest in storage. Secrets and credentials are encrypted with strong, industry-standard algorithms and are never stored in plaintext.

Tenant isolation

Each organisation's evidence lives in its own isolated storage bucket on AWS — not commingled in a shared table. That physical separation means one customer's data can never surface in another's account or exports.

Data residency

You choose where your data lives at signup — the EU (Frankfurt), the US (Northern Virginia), or Asia-Pacific (Singapore) — and it stays there. Enterprise customers can bring their own AWS storage for full custody.

Access control

We follow least privilege: staff can access only what their role genuinely requires, access is logged, and administrative access is tightly restricted and protected with multi-factor authentication. Within the product, role-based access control lets you do the same for your team.

Monitoring and logging

We continuously monitor our systems and keep audit logs of significant activity, so unusual behaviour is caught quickly rather than discovered months later. Our honest-dashboard principle applies internally too: we'd rather see a real problem than a comfortable green light.

Secure development

Security is part of how we build, not an afterthought. Changes go through review, dependencies are monitored for known vulnerabilities, and we test before we ship. We patch promptly when issues are found.

Vulnerability management

We scan for and remediate vulnerabilities on a risk-prioritised basis, and we welcome reports from security researchers under our Responsible Disclosure Policy.

Resilience and backups

We rely on AWS's proven infrastructure for availability, take regular backups, and design for recovery so your data survives the bad day. Versioning on storage protects against accidental loss or overwrite.

Incident response

We have a defined process for handling security incidents: detect, contain, investigate, remediate, and communicate. If an incident affects your data, we'll notify you without undue delay and tell you what we know and what we're doing — as set out in our DPA.

Our people

Security is a team sport. Our personnel are bound by confidentiality, receive security awareness training, and are granted access on a need-to-know basis that's removed when it's no longer needed.

Physical security and sub-processors

Physical security of the underlying data centres is handled by AWS, whose facilities carry the industry's leading certifications. Every other partner we rely on is vetted and listed on our Sub-processors page.

Reporting a concern

Found a vulnerability, or have a security question? See our Responsible Disclosure Policy, or email security@complianceonecloud.com. Enterprise customers can request our security documentation and framework reports under NDA.