The ComplianceAide Trust & Security Portal

Your one-stop resource for data protection, privacy, and regulatory compliance information.

Overview

Welcome to The ComplianceAide's Trust Portal, specifically crafted for our API and services. Here, you'll find:

Our mission is to be transparent and earn your trust by sharing the steps we take to safeguard your information.

We do not store your prompts, responses, policies, assessments, or evidence beyond a 7-day period.
Your prompts and completions:
- Are NOT available to other customers
- Are NOT available to OpenAI
- Are NOT used to improve OpenAI models
- Are NOT used to improve any Microsoft or 3rd party products/services
- Are NOT used for automatically improving Azure OpenAI models (the models remain stateless unless you explicitly fine-tune them)

We maintain alignment with recognized industry standards, including:

Third-Party Dependence: Yes, we rely on select external providers for specialized tasks.
Hosting: Our services and data are hosted in Azure (major cloud provider).

Backups: Performed regularly to mitigate data loss incidents.
Data Deletion: All user data (responses, policies, plans, POEMS, assessments, or evidence) is purged after 7 days.
Encryption-in-Transit: We use TLS 1.2 to secure data while in transit.
Physical Security: Handled by Azure data centers. Learn more.

Data Access: All internal system privileges are granted under the principle of least privilege and are regularly reviewed.
Logging: Critical security events are continuously monitored and logged.
Credential Security: We enforce strong password policies, including MFA, and securely store passwords in a company-managed vault.

24/7 Status Monitoring: Our infrastructure is monitored continuously.
Windows 365: Employee endpoints leverage Windows 365 Enterprise VDIs, hosted in multiple North American Azure regions.
Azure: Hosting is primarily within multiple North American Azure regions for redundancy.
Infrastructure-as-Code: We deploy resources securely through code-driven automation.
Separate Production Environment: We never use customer data in non-production environments.

Disk Encryption: All employee endpoints and cloud infrastructure instances are protected with full-disk encryption.
Endpoint Detection & Response (EDR): Every corporate device runs advanced EDR software.
Mobile Device Management (MDM): Centralized controls ensure consistent security policies on all endpoints.

Firewalls & Network Policies: We employ firewalls and Cilium Network Policies to regulate traffic at the container or Kubernetes level.
Intrusion Detection System (IDS): All network activity is centrally logged, with custom detection logic to flag anomalies and potential threats.

We maintain a formal Incident Response Plan for identifying, containing, and remediating security incidents.

24/7 Alerting: Our monitoring and detection systems automatically flag suspicious activity for immediate review.
Escalation Process: Potential security events are escalated to our internal security team to determine impact and remediation steps.
Contact: If you believe you’ve identified a security vulnerability, please reach out to us at security@complianceaide.com.

We run continuous vulnerability scans on our infrastructure and applications.

Third-Party Testing: We regularly work with independent security partners to perform penetration tests.
Patch Management: Critical patches are applied on an expedited schedule to minimize exposure.

We’ve built our services with geo-redundancy in mind, hosting data and systems in multiple regions.

Recovery Goals: We aim for an RTO (Recovery Time Objective) of less than X hours and an RPO (Recovery Point Objective) of less than Y hours.
DR Exercises: We conduct periodic tests of our disaster recovery plans to ensure ongoing preparedness.

We value the contributions of the security community in helping us maintain a strong security posture.

If you discover any potential vulnerabilities, we encourage you to report them responsibly to security@complianceaide.com.
We will investigate all valid reports and take appropriate actions to address them.

We’re committed to continuously refining our security practices to protect your data and uphold the highest compliance standards.