How GetComply Handles Customer Data

GetComply helps teams organize sensitive compliance evidence, so our own security posture matters. This page explains how we think about access, data handling, and operational safeguards.

Authentication and access

Access to customer workspaces is limited to people who need it to support the engagement. Administrative access is protected with strong authentication. We review access as the team and customer base grows.

Customers access the portal through authenticated sessions. Each workspace is scoped to a single tenant. One customer cannot access another customer's workspace.

Evidence handling

Customers should upload only the evidence needed for readiness work. GetComply uses the workspace to organize evidence, owners, gaps, and next steps. We do not require sensitive materials beyond what is necessary for the engagement.

Evidence files are stored using cloud infrastructure with access controls. Advisors access customer evidence to review quality and provide guidance. That access is scoped to the engagement.

Customer separation

Each customer workspace is treated as separate. Customer information is not shared across tenants, demo environments, or unrelated internal workspaces. Workspace data is filtered by tenant in every database query and storage operation.

Vendors and infrastructure

GetComply relies on third-party infrastructure and SaaS tools to operate the website, portal, email, and customer workflows. We select vendors based on security, reliability, and fit for handling customer data. As GetComply grows, vendor review will become a more formal part of our own governance program.

Logging and monitoring

Operational activity in the portal is logged so issues can be investigated when needed. Evidence approvals, governance decisions, and access changes are captured in an audit log tied to the user and timestamp. As GetComply matures, alerting and access review processes will become more formal.

Backups and availability

Customer-facing systems are backed up based on the importance of the data and service. The goal is to keep readiness work accessible and avoid preventable data loss. We rely on managed database infrastructure with built-in replication and point-in-time recovery.

Responsible disclosure

If you believe you have found a security issue involving GetComply, please contact:

[email protected]

We will acknowledge reports and work to address confirmed issues promptly. We do not have a formal bug bounty program at this time.

This page is not a SOC 2 report, audit opinion, or formal certification. It is a plain-language overview of how GetComply approaches customer data and security operations. As the company grows, this page will be updated to reflect improvements to our program.