Security

Last updated: February 1, 2026

Our Commitment

Security is foundational to everything we build at Compass. We understand that you trust us with sensitive product strategies, roadmaps, and specifications. We take that responsibility seriously and implement industry-leading security measures to protect your data.

Security Architecture

Encryption

  • TLS 1.3 for all data in transit
  • AES-256 encryption for data at rest
  • End-to-end encryption for sensitive fields
  • Automated key rotation every 90 days

Authentication

  • Multi-factor authentication (MFA)
  • SSO via SAML 2.0 and OpenID Connect
  • Role-based access control (RBAC)
  • Session management with automatic timeout

Infrastructure

  • SOC 2 Type II certified data centers
  • Geographic redundancy and failover
  • Network segmentation and firewalls
  • DDoS protection and rate limiting

Monitoring

  • 24/7 security monitoring and alerting
  • Real-time intrusion detection (IDS/IPS)
  • Comprehensive audit logging
  • Automated vulnerability scanning

Compliance & Certifications

SOC 2 Type II

Annual audit of security, availability, and confidentiality controls

Certified

GDPR

Full compliance with EU General Data Protection Regulation

Compliant

CCPA

Compliance with California Consumer Privacy Act

Compliant

ISO 27001

Information security management system certification

In Progress

Application Security

  • Regular penetration testing by independent third-party firms
  • Static and dynamic application security testing (SAST/DAST) in CI/CD
  • Dependency vulnerability scanning with automated patching
  • Secure software development lifecycle (SSDLC) practices
  • Code reviews required for all changes with security-focused checklists
  • Input validation and output encoding to prevent injection attacks

AI Security

Our AI systems are designed with security at every layer:

  • Isolated processing environments for each tenant
  • No customer data used for model training
  • Prompt injection protection and output sanitization
  • Rate limiting and abuse detection on AI endpoints
  • Regular red-team testing of AI systems

Business Continuity

  • 99.9% uptime SLA for all paid plans
  • Automated backups with point-in-time recovery
  • Multi-region disaster recovery with <4 hour RTO
  • Incident response plan tested quarterly
  • Status page at status.compass.pm for real-time updates

Responsible Disclosure

Report a Vulnerability

We welcome responsible security research. If you discover a vulnerability, please report it to us. We commit to:

  • Acknowledging your report within 24 hours
  • Providing a timeline for resolution
  • Not pursuing legal action for good-faith research
  • Crediting researchers who help improve our security (with permission)

Report vulnerabilities to security@compass.pm.

Contact

For security-related inquiries, reach out to our security team at security@compass.pm.