Security & Trust

Your Compliance Data, Secured

We understand that trust is earned. Learn how we protect your sensitive compliance data with enterprise-grade security, continuous monitoring, and industry-leading practices.

End-to-End Encryption
SOC 2 Type II*
24/7 Monitoring
Regular Audits

* Certification in progress. Expected completion Q2 2026.

Our Security Commitment

Security isn't just a feature—it's the foundation of everything we build. As a compliance platform, we hold ourselves to the highest security standards.

Security by Design

Every feature is designed with security in mind from day one, following the principle of least privilege and defense in depth.

Continuous Monitoring

24/7 security monitoring, automated threat detection, and real-time alerts ensure your data is always protected.

Transparency

We're open about our security practices, regularly publish updates, and maintain clear documentation for our customers.

Our Security Practices

Data Encryption

At Rest: AES-256 encryption for all data stored in our databases and file storage systems.

In Transit: TLS 1.3 for all data transmitted between your browser and our servers, as well as between internal services.

Access Control

Role-based access control (RBAC) with granular permissions

Multi-factor authentication (MFA) required for all users

SSO support via SAML 2.0 (Enterprise plans)

Infrastructure Security

Hosted on AWS with SOC 2 and ISO 27001 certified infrastructure

Automated security patching and updates

Network segmentation and firewalls

Monitoring & Logging

24/7 security monitoring and alerting

Comprehensive audit logs for all user actions

Automated anomaly detection and threat intelligence

Data Protection

Automated daily backups with 30-day retention

Geo-redundant storage across multiple availability zones

Point-in-time recovery capabilities

Application Security

Regular penetration testing by third-party experts

Automated security scanning in CI/CD pipeline

OWASP Top 10 protection and secure coding practices

Compliance & Certifications

We practice what we preach. Simple Comply maintains the same compliance standards we help our customers achieve.

SOC 2 Type II

In Progress

We're currently undergoing our SOC 2 Type II audit with an independent third-party auditor. Expected completion: Q2 2026.

  • Security controls audited and tested
  • 6-month observation period
  • Annual audits thereafter

ISO 27001

Planned 2026

ISO 27001 certification planned for H2 2026 to serve our international customers with globally recognized security standards.

  • ISMS implementation underway
  • 114 controls being documented
  • Certification audit scheduled

GDPR Compliance

Compliant

Full compliance with EU General Data Protection Regulation for processing customer data.

  • Data Processing Agreements available
  • EU data residency options
  • Data subject rights supported

CCPA Compliance

Compliant

California Consumer Privacy Act compliance for US customers.

  • Privacy Policy posted and maintained
  • Consumer rights request process
  • Do Not Sell disclosure

Note: Upon completion of our SOC 2 Type II audit, the full report will be available to customers under NDA. Contact our sales team for more information.

Data Privacy & Handling

Data Minimization

We only collect and process data necessary to provide our services. No unnecessary tracking, no selling of data to third parties.

Data Residency

Choose where your data is stored:

  • United States (AWS us-east-1, us-west-2)
  • European Union (AWS eu-west-1) - Available on request
  • United Kingdom (AWS eu-west-2) - Available on request

Data Portability

Export your data at any time in standard formats (JSON, CSV, PDF). No lock-in, no barriers to switching.

Data Retention

Active customer data retained for duration of service. Upon account closure, data deleted within 30 days or retained for regulatory requirements. Backups purged within 90 days.

Sub-processors

We maintain a list of all sub-processors who may process customer data:

  • AWS (Infrastructure hosting)
  • Stripe (Payment processing)
  • SendGrid (Email delivery)

Full sub-processor list available in our Data Processing Agreement.

Incident Response

We have a comprehensive incident response plan to quickly identify, contain, and resolve security incidents.

< 1 hour

Incident Detection

< 4 hours

Initial Response

< 24 hours

Customer Notification

< 72 hours

Regulatory Reporting

Our Commitment

  • Immediate containment and remediation of any security incident
  • Transparent communication with affected customers
  • Compliance with all breach notification requirements (GDPR, CCPA, etc.)
  • Post-incident review and continuous improvement

Responsible Disclosure

We welcome security researchers to help us keep Simple Comply secure. If you've discovered a security vulnerability, please report it responsibly.

Security Bug Bounty Program

Coming Soon

How to Report

Email us at security@simplycomply.io with:

  • • Description of the vulnerability
  • • Steps to reproduce
  • • Potential impact
  • • Any proof-of-concept code (optional)

Our Response Timeline

  • • Initial response within 24 hours
  • • Assessment and severity classification within 48 hours
  • • Fix timeline provided within 72 hours
  • • Public disclosure coordinated with reporter

Scope

In Scope: *.simplycomply.io, app.simplycomply.io, api.simplycomply.io

Out of Scope: Social engineering, physical attacks, DoS/DDoS

Note: We kindly request that you do not publicly disclose the vulnerability until we have had a reasonable time to address it. We commit to working with you to coordinate public disclosure.

Questions About Our Security?

We're happy to discuss our security practices in detail.

Enterprise customers: Request our SOC 2 report and security questionnaire responses by contacting sales.