Compliance
Compass compliance controls for SOC 2, GDPR, and enterprise audit requirements.
Compass is built with enterprise compliance requirements in mind. This page outlines the controls we implement and how they map to common compliance frameworks.
GDPR
Compass is designed for GDPR compliance by default:
| Requirement | How Compass Addresses It |
|---|---|
| Lawful basis | Data processed under legitimate interest (service delivery) and contractual necessity |
| Data minimisation | Connectors collect only metrics needed for assessment — no bulk data export |
| Storage limitation | Reports and audit logs can be deleted at any time. Audit logs auto-expire per plan tier |
| Right to erasure | Organisations can delete all their data (discoveries, reports, connectors, user accounts) |
| Data portability | Reports are structured JSON that can be exported |
| Data residency | Default EU hosting (Frankfurt). See Data Residency |
| Data processing agreement | Available for Enterprise customers |
SOC 2
Compass implements controls aligned with SOC 2 Type II trust service criteria:
Security
- Envelope encryption for credentials at rest
- TLS 1.2+ for all data in transit
- Role-based access control with organisation scoping
- Multi-factor authentication support
- Session timeout and secure cookie management
Availability
- Application monitoring via Sentry
- Automatic error detection and alerting
- Infrastructure hosted on SOC 2 certified providers (Vercel, Railway)
Confidentiality
- Connector credentials encrypted at rest with envelope encryption
- Stateless connector layer — no credential persistence
- No sharing of data between organisations
- Audit logging for all data access
Processing Integrity
- Multi-model AI validation to catch errors in analysis
- Calibration feature for human review of AI assumptions
- Versioned reports for tracking changes over time
Audit Controls
Audit Logging
Compass logs security-relevant events:
- User authentication (sign-in, sign-out, failed attempts)
- Connector operations (created, updated, deleted, data fetched)
- Discovery operations (created, report generated, rerun initiated)
- Organisation changes (members invited, roles changed)
- Settings changes (connectors modified, billing updated)
Audit Log Retention
| Plan | Retention |
|---|---|
| Starter | 30 days |
| Pro | 90 days |
| Enterprise | Unlimited |
Audit Log Access
Organisation admins can view audit logs in Settings. Enterprise customers can export logs for ingestion into their SIEM.
Industry-Specific Compliance
Compass assessment reports include compliance scoring against:
- SOX — Segregation of duties, access certification, privileged access controls
- HIPAA — Workforce security, access management, audit controls
- NIST 800-53 — Identity governance, privilege management, monitoring
- ISO 27001 — Access control policy, user access management, system monitoring
These scores reflect your IAM infrastructure's compliance posture — not Compass's own compliance. They help you identify gaps and prioritise remediation.
Requesting Compliance Documentation
Enterprise customers can request:
- Security questionnaire responses
- Data processing agreements
- Penetration test summaries
- Infrastructure architecture documentation
Contact security@usecompass.io for compliance inquiries.