Documentation
Security & ComplianceCredential Security

Credential Security

How Compass protects the API keys and credentials used to connect to your IAM systems.

When you connect an IAM system to Compass, you provide API credentials (client IDs, secrets, tokens). Protecting these credentials is our top priority — if compromised, they could grant read access to your identity infrastructure.

Encryption at Rest

All connector credentials are envelope encrypted in the database:

  1. Each credential set is encrypted with a unique data encryption key (DEK)
  2. The DEK is itself encrypted with a master key (KEK)
  3. The master key is stored separately from the database
  4. Decryption only happens in-memory when a connector call is made

This means even if the database were compromised, credentials remain encrypted and unusable without the master key.

Credential Lifecycle

Storage

  • Credentials are encrypted immediately upon submission
  • Plaintext credentials never touch disk
  • Database backups contain only encrypted credential data

Usage

  • Credentials are decrypted in-memory only when a discovery runs
  • The decrypted credentials are passed directly to the connector service
  • After the API call completes, credentials are discarded from memory

Rotation

  • You can update credentials at any time in Settings > Connectors
  • Old credentials are overwritten (not versioned) — only the current credential is stored
  • We recommend rotating credentials every 90 days or per your organisation's policy

Deletion

  • When you delete a connector, all associated credentials are permanently deleted
  • Deletion is immediate — there is no grace period or soft-delete

Connector Layer Isolation

The connector services that make API calls to your IAM systems are stateless:

  • No filesystem storage
  • No local database
  • No credential caching
  • No request logging that includes credentials

Each API call receives credentials, uses them, and forgets them. There is no mechanism for a connector service to store or forward credentials.

What We Never Do

  • Store credentials in plaintext
  • Log credentials in application logs
  • Include credentials in error reports or monitoring
  • Share credentials between organisations
  • Access your IAM systems outside of discovery runs you initiate
  • Retain credentials after a connector is deleted

Recommendations

  • Use service accounts — Create dedicated read-only accounts for Compass rather than using personal admin credentials
  • Scope permissions minimally — Only grant the specific API permissions listed in each connector's documentation
  • Rotate regularly — Update credentials on a regular schedule (we recommend every 90 days)
  • Monitor API usage — Check your IAM platform's API logs for unexpected access patterns
  • Use time-limited tokens where possible — Some platforms (like Okta) support tokens with automatic expiry

Security Overview

How Compass AI protects your data, credentials, and assessment results.

Data Residency

Where your data lives and regional deployment options.

On this page

Encryption at RestCredential LifecycleStorageUsageRotationDeletionConnector Layer IsolationWhat We Never DoRecommendations