Security at ComplyForm
Data Handling by Tier
Community and Pro tiers: zero data leaves your machine. The CLI runs locally, reads your Terraform state locally, and writes reports locally. No network calls. No telemetry. No account required.
Team and above: scan results are stored in Google Cloud Firestore
with CMEK encryption (Cloud KMS, AES-256). Data resides in
us-central1.
Customers can request full data export (GDPR Art. 20) or deletion
(GDPR Art. 17) via the API.
Encryption
At rest: AES-256-GCM via Cloud KMS customer-managed encryption keys (CMEK). In transit: TLS 1.3 on all endpoints.
Profile bundle integrity: HMAC-SHA256 manifest signatures (online verification) and Ed25519 detached signatures (air-gap verification).
Assessment attestations: Ed25519-signed in-toto v1 attestations
(SLSA/Sigstore standard). Independently verifiable with
complyform verify.
Authentication
Dashboard: Google OAuth 2.0 (Team/Agency). SAML SSO via WorkOS identity broker (Enterprise). SCIM Directory Sync (Enterprise).
CLI license validation: HMAC-SHA256 license key hash. Air-gap option: Ed25519-signed license files verified offline.
Webhooks (incoming and outgoing): HMAC-SHA256 signature verification with timestamp replay protection (5-minute window).
API keys: SHA-256 hashed at rest. Regenerable via dashboard. Never logged or exposed in responses.
Infrastructure
Primary region: GCP
us-central1.
Disaster recovery:
us-east4.
Cloud Armor WAF with OWASP Top 10 preconfigured rule sets (SQL injection, XSS, LFI, RFI, RCE, protocol attacks). Rate limiting on all endpoints via Cloud Armor (IP-based throttling and ban policies).
VPC with private service networking. All internal services communicate over private IP. All secrets stored in GCP Secret Manager with automatic rotation schedules.
Compliance
ComplyForm scans its own infrastructure using ComplyForm. SOC 2 Type II controls are implemented and self-assessed.
Checkov: zero failures across all 215+ Terraform-managed resources.
Infrastructure-as-code: 100% of production infrastructure is defined in Terraform. No console-only resources.
Penetration Testing
Annual third-party penetration test scheduled.
Responsible disclosure policy: see SECURITY.md in the GitHub repository.
Subprocessors
| Subprocessor | Purpose |
|---|---|
| Google Cloud Platform | Infrastructure (compute, storage, database, networking, KMS) |
| Paddle | Payment processing, merchant of record, sales tax compliance |
| Postmark | Transactional email delivery |
| Cloudflare | CDN, DNS, DDoS protection, website hosting |
| WorkOS | Enterprise SSO (SAML) and SCIM Directory Sync |
| PagerDuty | Operational alerting and incident management |
| iubenda | Legal document hosting (Terms of Service, Privacy Policy, Cookie Policy) |
Contact
For security inquiries, contact security@complyform.dev. For responsible disclosure, see our SECURITY.md on GitHub.