cmpliancethe agentic workforce

Legal

Security

Last updated: 28 May 2026

Our security posture

cmpliance.ai is designed for regulated compliance work. The Service may process counterparty information, compliance evidence, risk signals, workflow activity, and audit records. Security, data protection, and defensible evidence handling are core product requirements.

This page summarises our public security posture. Specific controls may vary by plan, feature, deployment model, and signed customer agreement.

How we protect data

Encryption and transport security

  • We use HTTPS/TLS for browser and API traffic.
  • We use provider-managed encryption at rest for applicable managed infrastructure and storage services.
  • Evidence and document workflows are designed to support integrity checks, auditability, and source traceability.

Access controls

  • Role-based access control is used across platform functions.
  • Access is scoped by tenant, role, and permission.
  • Administrative access is restricted to authorised personnel.
  • Authentication and MFA capabilities are provided through the identity layer and may be enforced according to customer configuration and plan.
  • API credentials and tokens are handled through server-side controls and are not intentionally exposed in client-side code.

Auditability

  • Compliance workflows are designed to record user actions, system actions, evidence events, and decision history.
  • Audit records are used to support review, investigation, export, and proofpack generation.
  • Where the product creates evidence packs, the goal is to preserve source references, timestamps, actor context, and decision rationale.

Infrastructure and operations

  • We use reputable infrastructure and service providers for hosting, storage, authentication, email, payments, workflow execution, and related services.
  • We maintain dependency scanning, code review, test coverage, and security review practices appropriate to the maturity of the Service.
  • We apply vulnerability management and incident-response processes.
  • Core production architecture is designed with Switzerland and EEA-oriented processing in mind where practical. Specific provider locations and transfer safeguards are governed by the applicable customer agreement and subprocessor terms.

No model training on Customer Data

We do not use Customer Data to train public or foundation AI models. Customer Data is processed to provide the Service and as otherwise permitted by the applicable customer agreement.

Responsible disclosure

If you discover a vulnerability in cmpliance.ai, report it to us responsibly before public disclosure. We are committed to working with security researchers in good faith.

Email: cmp@cmpliance.ai PGP key: available on request

Please include:

  • A clear description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Any safe proof-of-concept material
  • Your contact details if you want follow-up

Our commitments

  • Acknowledge receipt within 2 business days where contact details are provided
  • Triage valid reports and provide updates where appropriate
  • Avoid legal action against good-faith research conducted within this policy

In scope

  • cmpliance.ai web application
  • cmpliance.ai API endpoints
  • Authentication and authorisation mechanisms
  • Tenant isolation issues
  • Evidence, proofpack, and workflow integrity issues

Out of scope

  • Social engineering against our team, customers, or suppliers
  • Physical attacks
  • Denial-of-service or rate-limit stress testing
  • Accessing, modifying, or deleting data that is not yours
  • Attacks on third-party systems we do not control

We do not currently operate a paid bug bounty programme.

Subprocessors

We use subprocessors and service providers to operate the Service. A public summary is available on the Subprocessors page. Final subprocessor commitments, notice periods, objection rights, and transfer safeguards are governed by the applicable customer agreement.

Incident response

If a security incident affects Customer Data, we will:

  • Investigate and contain the incident
  • Notify affected customers without undue delay where notification obligations are triggered
  • Provide information reasonably needed for customer assessment and regulatory notification
  • Cooperate with remediation and follow-up steps required under the applicable customer agreement

Contact

cmp@cmpliance.ai paterhn GmbH, Gotthardstrasse 26, 6300 Zug, Switzerland