Security at ComplySherpa

Built with security-first principles to protect your compliance data and maintain trust.

Our Security Commitment

At ComplySherpa, security isn't an afterthought — it's foundational. We handle sensitive compliance data for organizations preparing for SOC 2, ISO 27001, and other critical certifications. That responsibility drives every architectural decision we make.

Our security posture is built on industry best practices, continuous monitoring, and a culture of transparency. We're preparing for our own SOC 2 Type II certification and practice what we preach.

Security Features

Encryption Everywhere

In Transit: TLS 1.2+ for all data transmission

At Rest: AES-256 encryption for all stored data

Keys: Managed through AWS KMS with automatic rotation

Access Controls

SSO/SAML: Enterprise single sign-on (Enterprise plan)

MFA: Required for all user accounts

RBAC: Role-based access with least-privilege enforcement

Infrastructure Security

Cloud Provider: AWS (SOC 2, ISO 27001 certified)

Network: Private subnets, security groups, WAF

Patching: Automated OS and dependency updates

Monitoring & Logging

Centralized Logging: All access and system events

SIEM: Real-time threat detection and alerting

Audit Trails: Immutable logs for compliance evidence

Backup & Recovery

Automated Backups: Daily encrypted backups

Retention: 90-day backup retention policy

DR Testing: Quarterly restore and failover tests

Vulnerability Management

Scanning: Weekly automated vulnerability scans

SAST/DAST: Integrated into CI/CD pipeline

Pen Testing: Annual third-party penetration tests

Data Protection

Data Classification

  • All customer data treated as confidential
  • Evidence artifacts encrypted and access-logged
  • PII handling per GDPR and PIPEDA requirements
  • Secure deletion upon customer request

Data Residency

  • Primary hosting in AWS US-East (N. Virginia)
  • European data residency available (Enterprise)
  • No cross-border transfers without consent
  • Sub-processors listed at /subprocessors

Compliance & Certifications

SOC 2

SOC 2 Type II

In Progress

Audit period: Jan 2026 - Dec 2026

Security, Availability, Confidentiality criteria

ISO 27001

ISO/IEC 27001

ISMS Implemented

Stage 1 target: Q2 2026

Information security management system certified

GDPR & PIPEDA

Aligned

Privacy by design principles

Data Processing Agreement available

Security Practices

Secure Development

  • Security code reviews for all changes
  • Dependency scanning and automated updates
  • Secrets management (no hardcoded credentials)
  • Secure CI/CD pipelines with approval gates

Team Training

  • Annual security awareness training
  • Phishing simulation exercises
  • Secure coding workshops
  • Incident response drills

Incident Response

  • 24/7 security monitoring
  • Documented incident response plan
  • Customer notification within 72 hours
  • Post-incident reviews and remediation

Vendor Management

  • Security assessments for all vendors
  • Annual vendor risk reviews
  • Data processing agreements in place
  • Transparent sub-processor list

Responsible Disclosure

We welcome security researchers and the broader community to help us maintain a secure platform. If you discover a security vulnerability, please report it responsibly.

How to Report

Email: security@complysherpa.com

PGP Key: Available upon request

What to Include

  • Detailed description of the vulnerability
  • Steps to reproduce
  • Potential impact assessment
  • Your contact information

We commit to acknowledging reports within 48 hours and providing updates every 7 days until resolution.

Questions About Our Security?

We're happy to discuss our security practices in detail. Request our security white paper or schedule a call with our security team.

View Trust Center Contact Security Team Data Processing Agreement