Data Residency

Understanding where your data is stored and processed is critical for compliance with data protection regulations like GDPR, CCPA, and industry-specific requirements.

What Data Does Compass Store?

The key insight: connector metrics from your IAM systems are never persisted. They flow through memory during report generation and are discarded. Only the final structured report is stored.

Default Region

By default, all Compass data is hosted in the European Union (Frankfurt, Germany). This provides GDPR compliance for all customers by default.

Regional Options

Starter & Pro Plans

All data is stored in the EU default region. For most organisations, this satisfies both EU and US data residency requirements since:

• EU regulations (GDPR) are satisfied by EU hosting
• US regulations generally don't restrict where data is stored
• The connector layer is stateless — your IAM credentials are decrypted, used, and discarded in-memory

Enterprise Plan

Enterprise customers can request:

• Dedicated database in a specific region (EU, US, APAC)
• Dedicated infrastructure with full isolation from other customers
• Data Processing Agreement (DPA) customised to your regulatory requirements
• On-premises deployment where all data stays in your own environment (see On-Premises Deployment)

AI Processing

When Compass generates reports, the AI processes your connector data. This processing happens in-memory:

• Connector metrics are sent to the AI service
• The AI analyses the data and generates a report
• Only the structured report (findings, recommendations, scores) is stored
• Raw connector data is not persisted anywhere

For organisations that require AI processing within their own environment, the Enterprise plan supports on-premises deployment with local LLMs.

Data Transfers

For cloud-hosted customers, data may cross borders in these scenarios:

Compass does not transfer your data to third parties, advertising networks, or analytics services.