Complyer

Security

How we protect your data and maintain trust

Compliance

SOC
SOC 2 Type I
Certification Pending

We are actively working toward SOC 2 Type I certification to demonstrate our commitment to security.

Our Security Commitment

Security is foundational to Complyer. We implement comprehensive security controls to protect your compliance data and maintain the integrity of your approval workflows. Our security practices are designed to meet enterprise requirements.

Encryption at Rest

All sensitive data is encrypted using AES-256-GCM. Slack bot tokens and credentials are never stored in plaintext.

Encryption in Transit

All connections use TLS 1.2+ encryption. We enforce HTTPS for all traffic and API communications.

Tenant Isolation

Row-level security ensures complete data isolation between organizations. No cross-tenant data access is possible.

Audit Logging

Comprehensive, immutable audit logs track all actions. Database triggers ensure complete accountability.

Infrastructure Security

  • Vercel: Application hosted on Vercel's secure, SOC 2 compliant infrastructure
  • Supabase: PostgreSQL database with built-in security and SOC 2 Type II certification
  • Automated Backups: Regular database backups with point-in-time recovery
  • Edge Network: Global CDN with DDoS protection

Access Controls

Authentication: All users authenticate through Slack OAuth. We never store passwords. Sessions are managed with secure, HTTP-only cookies and short-lived JWTs.

Authorization: Role-based access control (RBAC) with three levels: Admin, Approver, and Requester. Permissions are enforced at both application and database layers.

API Security: All Slack webhooks are verified using signing secrets. Internal APIs require valid session tokens. Background jobs use dedicated secrets.

Slack Integration Security

Our Slack integration follows Slack's security best practices:

  • Bot tokens encrypted before storage
  • Request signatures verified on every webhook
  • Minimal OAuth scopes requested
  • No access to private messages or unrelated channels
  • Regular token rotation supported

Incident Response

We maintain an incident response plan that includes detection, containment, eradication, and recovery procedures. In the event of a security incident affecting your data, we will notify affected organizations within 72 hours.

Security Contact

To report a security vulnerability or for security-related inquiries, please contact us at security@complyer.ai