Skip to main content
CompliantHQ

Security

How we protect customer data — what we do, where it lives, and how we'd respond if something went wrong.

Hosting and data residency

All customer data lives on servers in Finland, hosted via Hetzner. The application is a Next.js app backed by a MariaDB database; both run in the same data centre. Scan workers (Playwright/Chromium browsers) run on the same infrastructure — no scan data is sent to third parties beyond what's listed on our sub-processors page.

Encryption

  • In transit: All traffic between your browser and CompliantHQ uses TLS 1.2+. We do not accept plain HTTP for any authenticated endpoint.
  • At rest: Customer-supplied API keys (e.g. CookieScript tokens used for richer scans) are encrypted with AES-256-GCM and a key derived via HKDF before storage.
  • Backups: Daily snapshot of the database, retained 7 days. Backups are stored on our infrastructure within the EU and never leave the EU/EEA.

Authentication

  • Magic-link login. No passwords are stored. Each login link is single-use and expires after 24 hours. Sessions use HttpOnly, Secure, SameSite=Lax cookies.
  • No social logins, no OAuth. Reduces the attack surface and avoids the cross-account-recovery class of vulnerabilities.
  • Per-action authorisation. Every API route and dashboard page goes through a central authorisation wrapper (mainAuthorize / pageAuthorize) that verifies both session and role requirements before the handler runs. A build-time scan blocks deploys if any new route is missing a wrapper. A complementary automated test suite is on the roadmap for Q3 2026.

Access control

  • Production database access follows the principle of least privilege. All schema changes are made through version-controlled migrations reviewed before deployment — never as ad hoc commands against the production database.
  • No engineer has standing access to customer scan results in the database; access is via the application UI as a workspace member only.
  • Internal admin routes (/dashboard/admin/*) require both an authenticated session and an is_admin flag set in the database.

Logging and incident response

  • Access logs: Server access logs retained 90 days, used for incident triage.
  • Application logs: We log failure events to the application's own log on the production server, but not request bodies or PII.
  • External error monitoring: We use Sentry for crash reporting in both the server and browser layers. Data is stored in Sentry's EU data centre (Frankfurt) — no data leaves the EU/EEA. Performance and session tracking in the browser are disabled, so on public pages nothing is sent on normal page views — only when an actual error occurs. Error messages, stack traces, and runtime context are sent; request bodies, payment data, login credentials, and IP addresses are intentionally not sent. Full description on the sub-processors page.
  • Incident notification: If we detect a security incident affecting personal data we will (a) notify IMY (Sweden's data-protection authority) within 72 hours per GDPR Art. 33 and (b) inform affected users without undue delay per Art. 34.

Software security

  • Public dependencies tracked via a committed package-lock.json; we review known vulnerabilities with npm audit and keep dependencies up to date.
  • SSRF defences in the scanner block loopback / RFC1918 / link-local / cloud-metadata addresses, embedded credentials in URLs, and non-default ports — with its own test suite.
  • Inputs validated via Zod schemas at every API boundary; database queries go through Drizzle ORM with parameterised queries.

What we don't do (yet)

  • SOC 2 / ISO 27001 certification: Not yet. We're an early-stage product with a growing customer base; certification is on the roadmap when enterprise customers ask for it.
  • Bug bounty programme: Not yet. Security reports welcome at hello@complianthq.ai — we acknowledge within one business day.
  • Pen test: Internal authorisation audit completed Q2 2026. An external pen test is planned during 2026.

Reporting a vulnerability

Email hello@complianthq.ai with steps to reproduce. Please don't publicly disclose before we've confirmed and patched. We aim to acknowledge within one business day and patch within 30 days for high-severity issues. Coordinated disclosure works for both of us.

Security — CompliantHQ