Security at CompliDeck

We take the security of your compliance data seriously. Here's how we protect your organization's information.

Encryption

All data is encrypted in transit using TLS 1.2+ (HTTPS everywhere). Data at rest is encrypted using AES-256 via our infrastructure provider. Database backups are also encrypted.

Data Isolation

Every organization's data is logically isolated using row-level security (RLS) policies enforced at the database layer. One organization can never access another's data, even in the event of an application-level bug.

Authentication & Access Control

We support email/password and Google OAuth sign-in. Passwords are hashed using bcrypt. Role-based access control (RBAC) enforces admin, manager, and member permissions at both the application and API level. API keys use SHA-256 hashing and are never stored in plaintext.

Audit Trail

Every action in CompliDeck is logged: employee additions, policy signatures (with IP address and timestamp), asset changes, and team modifications. Audit logs are immutable and available for export.

E-Signature Integrity

Policy signatures are recorded with the signer's typed name, IP address, user agent, and UTC timestamp. Each signing link uses a unique cryptographic token that expires after 30 days. Signed acknowledgments cannot be modified after submission.

Infrastructure

CompliDeck runs on industry-leading infrastructure:

  • Database: PostgreSQL on Supabase (AWS), with automated daily backups and point-in-time recovery
  • Hosting: Vercel edge network with automatic SSL, DDoS protection, and global CDN
  • Payments: Stripe handles all payment processing. We never store credit card numbers
  • Email: Resend for transactional email delivery with SPF/DKIM authentication

API & Webhook Security

API keys are hashed with SHA-256 before storage. Outgoing webhooks support HMAC-SHA256 signature verification so you can validate that payloads originated from CompliDeck. All API endpoints enforce authentication and organization-scoped data access.

Data Deletion & Portability

Organization admins can delete their entire account and all associated data at any time from Settings. Data is permanently removed from all tables including backups within 30 days. CSV export is available for employees, policies, and assets so you can take your data with you.

Questions about security?

We're happy to answer any questions about how we protect your data.

security@complideck.com