Security
Every product in the Compliai suite follows the same security standards.
Encryption
All data is transmitted over HTTPS using TLS 1.3. Data at rest is encrypted using AES-256. This applies to all user-created content, records, and account information stored in our database. Encryption keys are managed by our infrastructure providers and are rotated on a regular schedule.
Australian data hosting
Your data is stored exclusively on servers located in Australia (AWS ap-southeast-2, Sydney region). We do not transfer personal data outside Australia without your explicit consent. Our infrastructure providers are contractually bound to maintain this data residency requirement.
Infrastructure and availability
The application is hosted on Supabase (database and authentication) and Vercel (application layer) — enterprise-grade platforms with automatic security patching, uptime monitoring, and daily automated backups. Database backups are retained for 30 days. Vercel provides edge-level DDoS protection and automatic SSL certificate management.
Authentication
User authentication is handled by Supabase Auth. Passwords are hashed using bcrypt and never stored in plain text. Sessions use short-lived JWT tokens with secure, HTTP-only cookie storage. We enforce a minimum password length and rate-limit login attempts to prevent brute force attacks.
Payments
All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. We never store credit card numbers, CVVs, or full card data on our servers. Payment data is tokenised by Stripe before it reaches our application.
Access control
Row-level security (RLS) in PostgreSQL ensures each organisation can only read and write their own data — even within the shared database. Internal team access to production data is restricted on a least-privilege basis and requires multi-factor authentication. Access logs are retained and auditable.
Vulnerability management
Dependencies are monitored for known vulnerabilities using automated tooling. Security patches are applied promptly. Application code is reviewed for common vulnerability classes including injection, broken authentication, and insecure direct object references (OWASP Top 10).
Responsible disclosure
If you discover a security vulnerability, we ask that you disclose it responsibly. Email security@getcompliai.com.au with a description of the issue. We acknowledge reports within 48 hours and aim to resolve confirmed vulnerabilities within 30 days. We do not pursue legal action against researchers who follow responsible disclosure guidelines.
Last updated: April 2026