Security Overview

How Compass AI protects your data, credentials, and assessment results.

As an IAM assessment platform, Compass handles sensitive information about your identity infrastructure. This page explains our security architecture and the controls we use to protect your data.

Security Principles

Read-only access — Connectors never modify your IAM systems. Compass only reads metrics.
Encryption everywhere — Credentials encrypted at rest, all data in transit over TLS 1.2+
Stateless connectors — Connector services don't store your data or credentials. Everything is processed in-memory and discarded.
Organisation isolation — Every database query is scoped to your organisation. No cross-tenant data access is possible.
Minimum privilege — Connectors request only the API permissions needed for metric collection.

Architecture

┌────────────────────────────────────────────────┐
│              Your IAM Systems                   │
│  (Azure AD, Okta, SailPoint, CyberArk, etc.)  │
└──────────────────┬─────────────────────────────┘
                   │ TLS 1.2+
                   │ Read-only API calls
┌──────────────────▼─────────────────────────────┐
│           Connector Layer (Stateless)           │
│  • Receives encrypted credentials per-request   │
│  • Calls your IAM APIs                         │
│  • Returns structured metrics                   │
│  • Discards credentials after use              │
└──────────────────┬─────────────────────────────┘
                   │
┌──────────────────▼─────────────────────────────┐
│              AI Analysis Layer                   │
│  • Processes metrics in-memory                  │
│  • Generates structured reports                 │
│  • No raw data persisted                       │
└──────────────────┬─────────────────────────────┘
                   │
┌──────────────────▼─────────────────────────────┐
│              Application Layer                   │
│  • Reports stored encrypted in PostgreSQL       │
│  • Organisation-scoped access control           │
│  • Role-based permissions via better-auth       │
│  • Audit logging for all operations             │
└────────────────────────────────────────────────┘

Authentication & Access Control

Multi-factor authentication — Supported for all user accounts
SSO — Available on Enterprise plans (SAML 2.0 / OIDC)
Role-based access — Organisation admins control who can view reports, manage connectors, and invite team members
Session management — Configurable session timeouts, secure cookie handling
Passkey support — WebAuthn-based passwordless authentication

Data Handling

Data Type	Storage	Encryption	Retention
Connector credentials	PostgreSQL	Envelope encryption at rest	Until connector is deleted
Assessment reports	PostgreSQL	At rest (AES-256)	Until discovery is deleted
Connector metrics	In-memory only	TLS in transit	Not persisted after report generation
Audit logs	PostgreSQL	At rest	30/90/unlimited days by plan
User accounts	PostgreSQL	Passwords hashed (bcrypt)	Until account is deleted

Vulnerability Management

Dependencies monitored with automated security scanning
Regular dependency updates across all services
Application error monitoring via Sentry (no sensitive data captured)

Incident Response

If a security incident affects your data, we will:

Notify affected organisations within 72 hours
Provide a detailed incident report
Implement corrective measures
Offer a post-incident review

For security concerns or to report a vulnerability, contact security@usecompass.io.