Built for compliance teams that read every line. Plain English up top, with the technical detail your security questionnaire needs further down.
The answers, without the technical jargon. If you need the deeper detail, scroll on.
Every byte of your organisation's audit data lives in Frankfurt, Germany — physically inside the EU, on infrastructure operated by Supabase and Vercel in their eu-central-1 / fra1 regions.
It never moves outside Europe. No CLOUD Act exposure. No transatlantic transfers. The only US-origin service we touch is Calendly — and only for demo scheduling, never for your audit data.
Every AI interaction we log gets a unique SHA-256 fingerprint at the moment it's recorded. The logs themselves are append-only — once written, they cannot be modified or deleted, even by us.
If anyone tried to alter a record, the fingerprint wouldn't match. That's the whole point of “tamper-evident” — and it's how we satisfy Article 19's record-keeping requirement.
Your dashboard users see only your organisation's data, isolated at the database level. Multi-factor authentication is enforced on every account. Passwords are never stored by us — credentials are handled by Clerk to EU banking standards.
One honest disclosure: as the Founder, Thomas holds administrative credentials that can technically read any customer's data. We disclose this openly because pretending otherwise would fail any serious due diligence — and we explain how that access is controlled in the technical detail below.
If a security incident affects your data, we will notify you within 24 hours. If a personal data breach occurs, GDPR Article 33's 72-hour notification clock applies and we handle the supervisory authority reporting on your behalf where required.
We have a documented incident response process — not an aspiration. Containment, customer notification, post-incident review, three-year retention of incident records.
Five layers of protection. The level of specificity your CISO needs.
All data is encrypted at rest using AES-256, and in transit using TLS 1.2 or higher. Encryption keys are managed by our underlying infrastructure providers (Supabase, Vercel, Clerk) with industry-standard key rotation and protection.
Backups are encrypted with the same standards as production data. Database connection strings, API keys, and service credentials are stored in Vercel's encrypted environment variable system and rotated per documented schedule.
Each customer organisation's data is isolated at the database level using PostgreSQL Row-Level Security. A dashboard user from one organisation cannot read or write data belonging to any other organisation — this isolation is enforced by the database engine itself, not by application code.
Every query against the audit_logs table must include an organisation ID matching the authenticated user's organisation membership. Even if our application logic were compromised, cross-tenant access would still be blocked at the database layer.
Audit log entries are write-once: once recorded, they cannot be modified or deleted through the application. The application role used by our Next.js API can INSERT new rows but cannot UPDATE or DELETE existing ones — enforced at the database privilege level.
Every entry includes a SHA-256 integrity hash computed at ingestion time. Any tampering is detectable by recomputing the hash and comparing. This is how Complira meets EU AI Act Article 19's record-keeping requirements in practice.
Dashboard access requires multi-factor authentication, enforced at the identity provider layer (Clerk). MFA is not optional and cannot be disabled by users.
Passwords are never stored by Complira — all credential handling is delegated to Clerk, which applies password strength requirements, hashed storage, session management, and breach-detection to EU banking industry standards. Clerk processes all data within the EU region.
Administrative access to production infrastructure is held only by the Founder/Privacy Owner and used only for documented purposes (debugging, incident response, schema migration). A documented break-glass procedure governs any exceptional access, with customer notification where the access affects customer data.
External log aggregation runs on Better Stack with 90-day retention for security events. Quarterly internal security reviews are documented in our compliance folder. Sub-processors are SOC 2 Type II audited (Supabase, Vercel, Clerk, Microsoft 365) — see the table below.
We rely on the certified security postures of audited sub-processors. Most hold SOC 2 Type II or equivalent. DPAs are signed with all of them. Customers are notified at least 30 days before any change.
For the complete and continuously-updated register including data flow notes, see our sub-processor register.
Plenty of compliance pages claim posture they don't have. We'd rather tell you exactly where we are. None of these are absences — they're roadmap items. Here's both sides of the picture.
If a specific certification is a hard requirement for your procurement process, please tell us early in the conversation. We can sometimes accelerate roadmap items in exchange for design-partner status, and we'd rather know up front than at contract signing.
We're happy to walk you through any of this in detail, complete a security questionnaire for your procurement team, or share documentation for your DPO.