We ask our customers to trust us with visibility into their most critical systems. We take that seriously. This is the page where we show our work — our security posture, how we handle data, what we're certified against, and where to reach us if you find something we missed.
We map our operations to the frameworks small and mid-sized businesses get audited against. No vanity badges, no compliance theater. Details available under NDA during onboarding.
Our detection and response infrastructure is audited annually against SOC 2 Type II criteria. Report available to prospects and customers under NDA.
Operations mapped to the NIST Cybersecurity Framework 2.0 core functions: Govern, Identify, Protect, Detect, Respond, Recover.
Technical, administrative, and physical safeguards designed to support HIPAA Security Rule obligations. BAAs executed with covered entities.
Controls supporting PCI DSS 4.0 requirements for merchants and service providers handling cardholder data. Attestation available on request.
Practices aligned with CMMC Level 1 and 2 for Department of Defense contractors and their supply chain. Assessment documentation support available.
Controls align with FFIEC examination expectations. Proven track record with credit unions achieving top-tier NCUA exam outcomes.
Honest answers to the questions our customers — and their auditors — actually ask.
Only what's needed to detect and respond to threats: process execution telemetry, scheduled task creation, persistence mechanisms, login events, network connection metadata, and relevant system configuration. We do not collect document content, email bodies, or the personal data your employees process day-to-day.
All customer telemetry is stored in U.S.-based data centers operated by our detection platform partner. Data in transit is encrypted with TLS 1.2+. Data at rest is encrypted with AES-256. No offshore processing.
Telemetry data is retained for one year from collection, in line with forensic investigation requirements. Incident records are retained for seven years to support compliance and legal hold obligations. Customers can request earlier deletion for any specific data set.
No. Never. We do not sell customer data, trade it, license it, or share it with advertisers, brokers, or marketing partners. Data is accessed only by our SOC analysts and our detection platform, strictly for the purpose of delivering the service.
Access is limited to SOC analysts with role-based permissions, logged and audited. Minimum-necessary access is enforced — an analyst sees your telemetry only when reviewing an active alert. All analyst actions are recorded in audit logs available for customer review under NDA.
We require a valid legal process (subpoena, court order, or warrant) for any disclosure of customer data to law enforcement. We will notify the affected customer before disclosure unless legally prohibited from doing so. Full process documented in our MSA.
Upon termination, your endpoint agents are deactivated and removed from active monitoring. Customer telemetry is purged from active systems within 30 days. Archival copies maintained for legal/compliance obligations are deleted at the end of their retention window. Deletion attestation available on request.
Yes. Customers can request a full export of their telemetry and incident records at any time during an active contract. Exports are delivered in a standard format (JSON or CSV) via secure transfer, typically within 10 business days of request.
We use carefully selected third-party providers to deliver Complyn Sentinel. The categories below describe what each does at a high level. A full named subprocessor list is provided to customers under NDA as part of onboarding.
A cybersecurity company is a target. We've planned for it. This is our public commitment to what we'll do if Complyn experiences a security incident affecting customer data.
Internal incident response team activates. Affected systems isolated. Scope of impact assessed. SOC operations continue uninterrupted for unaffected infrastructure.
Customers whose data may be affected receive direct notification within 24 hours of confirmed impact. Notification includes what we know, what we're doing, and what (if anything) the customer should do.
Where legally required (GDPR, state breach laws, sector regulations), regulators notified within statutory windows. We do not delay notifications to manage PR.
Affected customers receive a written post-incident report: root cause, scope, remediation, and changes we're making to prevent recurrence. Public summary published if the incident materially affected the service.
Our commitment: We will not minimize, delay, or obfuscate any security incident affecting customer data. We will communicate plainly, quickly, and in writing. If we ever fail this standard, we expect to be held accountable.
We welcome security research from outside our organization. If you've discovered a vulnerability in our website, customer portal, or any Complyn-controlled asset, we want to hear about it.
Submissions are encrypted in transit and routed directly to our security team. We review every report.
The documents below are available to prospects evaluating Complyn and to active customers. Most are provided under NDA — typical turnaround is one business day.
Need a document that isn't listed? Ask.
Request Documentation →When you're ready to bring Complyn into your evaluation process, we'll move quickly on documentation, security reviews, and contract terms. Most engagements are under protection within one business day of commitment.