Security
Last updated: February 23, 2026
Table of Contents
1. Overview
Security isn't a feature we bolted on — it's built into how we design, build, and operate compliance.tf. This page gives you an overview of our security practices. For detailed compliance documentation, certifications, and downloadable resources, visit our Trust Center.
2. Trust Center
compliance.tf Trust Center
Our Trust Center is the central hub for all compliance and security documentation. It includes our SOC 2 reports, 40+ security controls, and downloadable resources including our ISMS Manual and System Description.
Visit Trust Center3. Architecture Overview
compliance.tf is built on a serverless architecture designed for security and resilience:
- Static frontend served from Amazon S3 via CloudFront CDN — no server-side rendering means a minimal attack surface
- API runs on AWS Lambda — each request executes in an isolated environment with no persistent state
- Data stored in Amazon DynamoDB with encryption at rest enabled by default
- Authentication handled by AWS Cognito with support for email/password and Google OAuth
- Infrastructure spans two AWS regions: us-east-1 (US) and eu-west-1 (Ireland)
The serverless model means there are no servers to patch, no operating systems to maintain, and no long-running processes that could be compromised.
4. Encryption
All data is encrypted, both in transit and at rest:
- In transit: TLS 1.2 or higher for all connections. There are no unencrypted paths — HTTP requests are automatically redirected to HTTPS.
- At rest: AES-256 encryption via AWS Key Management Service (KMS) for all stored data, including DynamoDB tables, S3 objects, and CloudWatch logs.
- API tokens: API tokens are hashed before storage — we never store tokens in plaintext.
5. Access Controls
We follow the principle of least privilege across all systems:
- IAM policies grant only the minimum permissions required for each service and function
- No shared credentials — every team member has individual access with multi-factor authentication
- API tokens are scoped per customer and can be revoked at any time
- Infrastructure access is logged and auditable
- Production systems are isolated from development environments
6. Incident Response
We have documented incident response procedures that include:
- Detection and triage
- Containment and mitigation
- Notification (within 72 hours for personal data breaches, per GDPR)
- Root cause analysis and remediation
- Post-incident review
We conduct regular incident response exercises to make sure our team is prepared. For more details on breach notification, see our Data Processing Agreement.
7. Compliance
We maintain the following compliance certifications and commitments:
- SOC 2 Type II — available through our Trust Center
- GDPR — see our Privacy Policy and Data Processing Agreement for details
- AWS Well-Architected Framework — we follow AWS best practices for security, reliability, and operational excellence
8. Responsible Disclosure
If you've found a security vulnerability in compliance.tf, we want to hear about it. Please report vulnerabilities to mail@compliance.tf with a clear description of the issue, steps to reproduce, and any relevant evidence.
We ask that you:
- Give us reasonable time to investigate and fix the issue before disclosing it publicly
- Don't access or modify other users' data
- Don't disrupt the service for other users
We won't take legal action against researchers who follow these guidelines in good faith. We appreciate the security community's help in keeping compliance.tf safe.