Skip to main content
CompliantHQ

Security

How we protect customer data — what we do, where it lives, and how we'd respond if something went wrong.

Hosting and data residency

All customer data lives on servers in Finland, hosted via Hetzner. The application is a Next.js app backed by a MariaDB database; both run in the same data centre. Scan workers (Playwright/Chromium browsers) run on the same infrastructure — no scan data is sent to third parties beyond what's listed on our sub-processors page.

Encryption

  • In transit: All traffic between your browser and CompliantHQ uses TLS 1.2+. We do not accept plain HTTP for any authenticated endpoint.
  • At rest: Database volumes are encrypted at rest. Customer-supplied API keys (e.g. CookieScript tokens used for richer scans) are encrypted with AES-256-GCM and a key derived via HKDF before storage — see src/lib/crypto.ts.
  • Backups: Daily snapshot of the database, retained 30 days. Backups are encrypted at rest and never leave the EU.

Authentication

  • Magic-link login. No passwords are stored. Each login link is single-use and expires after 10 minutes. Sessions use HttpOnly, Secure, SameSite=Lax cookies.
  • No social logins, no OAuth. Reduces the attack surface and avoids the cross-account-recovery class of vulnerabilities.
  • Per-action authorisation. Every API endpoint that mutates data verifies the caller's role at the org and workspace level. We have an automated authorisation test pass scheduled (Q3 2026) — current coverage is manual review.

Access control

  • Production database access is limited to two engineers, both required for any production migration.
  • No engineer has standing access to customer scan results in the database; access is via the application UI as a workspace member only.
  • Internal admin routes (/dashboard/admin/*) require both an authenticated session and an is_admin flag set in the database.

Logging and incident response

  • Access logs: Server access logs retained 90 days, used for incident triage.
  • Application logs: Errors are captured via Sentry (sub-processor); we log failure events but not request bodies or PII.
  • Incident notification: If we detect a security incident affecting personal data we will (a) notify IMY (Sweden's data-protection authority) within 72 hours per GDPR Art. 33 and (b) inform affected users without undue delay per Art. 34.

Software security

  • Public dependencies tracked via package-lock.json; we run npm audit on every commit and review CVEs before deploy.
  • SSRF defences in the scanner block loopback / RFC1918 / link-local / cloud-metadata addresses, embedded credentials in URLs, and non-default ports — see src/lib/security/ssrf-guard.ts and its test suite.
  • Inputs validated via Zod schemas at every API boundary; database queries go through Drizzle ORM with parameterised queries.

What we don't do (yet)

  • SOC 2 / ISO 27001 certification: Not yet. We're a pre-launch product; certification is on the roadmap when we have enterprise customers asking for it.
  • Bug bounty programme: Not yet. Security reports welcome at hello@complianthq.ai — we acknowledge within one business day.
  • Pen test: Internal authorisation audit completed Q2 2026. External pen test scheduled before public launch.

Reporting a vulnerability

Email hello@complianthq.ai with steps to reproduce. Please don't publicly disclose before we've confirmed and patched. We aim to acknowledge within one business day and patch within 30 days for high-severity issues. Coordinated disclosure works for both of us.

Security — CompliantHQ