cmpliancethe agentic workforce

Legal

Technical and organisational measures

Last updated: 28 May 2026

Purpose

This page summarises the technical and organisational measures used to protect personal data processed through cmpliance.ai. It is a public overview, not a complete security schedule. The applicable customer agreement controls any customer-specific security commitments.

Governance

  • Security and data protection are considered in product and engineering decisions.
  • Access to production systems is limited to authorised personnel.
  • Customer Data is handled according to role, purpose, and operational need.
  • Security-sensitive changes are reviewed before release where appropriate.

Access control

  • Role-based access control is used in the platform.
  • Tenant boundaries are enforced at the application and data-access layers.
  • Administrative access is restricted and logged where supported by the relevant system.
  • Authentication and MFA capabilities are provided through the identity layer and may be enforced according to customer configuration and plan.

Data protection

  • Browser and API traffic use HTTPS/TLS.
  • Managed infrastructure and storage services use provider-managed encryption at rest where applicable.
  • Customer Data is not used to train public or foundation AI models.
  • Production or pilot processing of real customer personal data requires applicable written terms.

Auditability and evidence

  • Compliance workflows are designed to maintain source references, actor context, timestamps, and decision history.
  • Evidence and proofpack workflows are designed to support review, reconstruction, and defensibility.
  • Audit records support internal review, customer investigation, and export where available.

Availability and resilience

  • The Service uses managed infrastructure providers for hosting, storage, workflow execution, and related services.
  • Backups, recovery, monitoring, and operational processes are maintained according to the maturity and configuration of the Service.
  • Specific RPO, RTO, service-credit, or disaster-recovery commitments require a signed customer agreement.

Vulnerability management

  • Dependencies and code are reviewed through engineering workflows.
  • Security issues are triaged according to severity and impact.
  • Responsible disclosure reports can be sent to cmp@cmpliance.ai.
  • We do not currently operate a paid bug bounty programme.

Incident response

If a security incident affects Customer Data, we will investigate, contain, and notify affected customers without undue delay where notification obligations are triggered.

Subprocessors and transfers

We use subprocessors to provide, secure, support, and improve the Service. A public summary is available on the Subprocessors page. Transfer safeguards and customer-specific processing terms are governed by the applicable customer agreement.

Contact

cmp@cmpliance.ai paterhn GmbH, Gotthardstrasse 26, 6300 Zug, Switzerland