Trust Center

How we protect your compliance data.

Complaix handles regulatory data. You deserve to know exactly how. This page lists every control we enforce, every attestation we hold (or are working toward), and every contract we sign.

Platform security

Encryption everywhere

TLS 1.2+ in transit with HSTS preload. AES-256 at rest on Supabase-managed disks. Stripe-hosted card data (we never see or store payment instruments).

Multi-tenant isolation via RLS

Every business table carries an organization_id foreign key and a PostgreSQL row-level security policy. Cross-tenant data access is impossible by construction, not just by convention.

Strict Content Security Policy

Per-request CSP nonce with strict-dynamic. No 'unsafe-inline' on script-src. Frame-ancestors 'none' blocks clickjacking. Scored A on securityheaders.com.

Append-only audit log

Every role change, billing event, auth event, GDPR action, feature-flag change, DSAR transition, Stripe webhook — recorded with an IP, user-agent, and correlation ID.

Append-only evidence vault

Art. 18 10-year retention. The vault has no UPDATE or DELETE policy. Monthly SHA-256-signed archives to a separate storage bucket for catastrophe survival.

Rate-limited sensitive endpoints

Sign-in, register, password reset, invitations, and GDPR export are all rate-limited. Shared state across Vercel instances via Upstash Redis; fail-closed on timeout.

Authentication & access

Strong password + optional MFA

12+ characters with mixed case and digits, bcrypt hashing via Supabase Auth. TOTP 2FA available; enrolment gates subsequent logins via the session assurance level.

Role model

Three roles — user, admin, super-admin — with a last-admin protection trigger that guarantees every organisation retains at least one administrator.

Privileged-column protection

DB triggers block end-user tampering with role, is_super_admin, organization_id, pending_plan_id, and deletion_requested_at. Service-role only.

Session lifecycle

Sessions are refreshed every request in middleware. Logout clears all cookies. Password change invalidates existing sessions.

Data protection & GDPR

EU-first data residency

Primary Supabase project in EU West. Sentry (optional) elects EU region. Brevo (SMTP) is EU-headquartered. Full list at /subprocessors with RSS feed for change notifications.

Self-service data rights

Users export their data (Art. 15/20) as a ZIP via /settings/privacy. Request account deletion (Art. 17) with a 30-day grace window. Admins track DSARs in an inbox with a 30-day SLA clock.

DPA + DPIA

Standard DPA at /dpa. Our own processing DPIA (Art. 35) is available on request. Both are versioned and updated on subprocessor changes.

Backup + restore

Daily Supabase snapshots, 7-day PITR on Pro, monthly off-project archive of evidence + audit data. Quarterly scripted restore drills.

Compliance posture

Framework	Status	Notes
GDPR	In force	EU-based processing. DPIA, DPA, subprocessor register all published.
EU AI Act (self)	Applied to ourselves	Our own AI components classified and published at /ai-policy (Annex IV-style).
European Accessibility Act	Automated WCAG 2.2 AA regression live	Manual audit planned before GA.
NIS2	Prepared as processor	SIEM-ready audit export, incident response runbook, 24h notification path.
SOC 2 Type I	Readiness in progress	GRC tooling engaged; audit scheduled.
ISO/IEC 42001	Gap assessment complete	38 controls mapped; Stage-1 audit after Type I.
ISO/IEC 27001	Roadmapped	Sits under SOC 2 + ISO 42001 parent system.

Liability & insurance

Complaix carries insurance appropriate to the scale and scope of the platform today. Our standard contractual commitments include:

Professional indemnity (E&O)

Covers claims that our compliance classifications or documentation output caused customer loss. Required for every enterprise customer.

Cyber liability

Covers breach-notification costs, forensic investigation, regulatory exposure, and third-party claims arising from a cyber incident.

Commercial general liability

Baseline coverage for business operations.

DPA + MSA

Every pilot contract includes a Data Processing Agreement and a Master Services Agreement. Request review copies via legal@.

Observability & incident response

Operational monitoring

Sentry captures every server-side exception. BetterStack runs heartbeats against our public health endpoint + Supabase. Internal SLO dashboard aggregates both + throughput counts.

Incident response

24 h internal detection SLA via Sentry + BetterStack alerting. Public status page at status.complaix.eu. Tabletop-tested scenarios for region outage, webhook compromise, cross-tenant leak.

Breach notification

GDPR Art. 33: supervisory authority within 72 hours. Customer notification per contractual DPA terms. Evidence retained in the append-only audit log.

SIEM-ready audit export

Hourly JSON dump of the audit log to a tamper-evident storage bucket. Customers needing SIEM integration receive short-lived signed URLs.

Responsible disclosure

If you think you found a security issue, write to security@complaix.eu with a reproducer. We acknowledge within 3 business days and aim to remediate high-severity issues within 14 days.

Machine-readable details: /.well-known/security.txt. Full disclosure policy: /security.

Contacts

Security

security@complaix.eu

Privacy / data protection

privacy@complaix.eu

Legal

legal@complaix.eu

Last reviewed 2026-05-07 · Reviewed quarterly · Source-of-truth: /subprocessors · /privacy · /dpa · /status