This page answers all of the frequently asked questions we receive from customers relating to Compleat's security.
Here, we answer questions about everything from customer data protection and payment fraud prevention, to data encryption and our privacy policies
Are Compleat ISO certified?
ISO certification confirms that a service meets all the requirements for standardization and quality assurance according to the standards developed by the ISO (International Organization for Standardization).
Compleat are not currently ISO certified. There hasn’t yet been sufficient demand from our existing or prospective customer base to warrant obtaining ISO certification.
We already adhere to many ISO standards and best practices, and underpin our product with numerous ISO-compliant utilities from Microsoft Azure.
That said, ISO certification is certainly on our roadmap and we aim to obtain it in due course.
Do Compleat have a formal and fully tested incident response and recovery plan?
Compleat have a tested incident response process in place that we use as a framework for any incidents that occur.
Do Compleat have a change management process?
Compleat have a formal and appropriately audited change management process in place for both planned and unplanned changes.
How does Compleat keep its test and production environments separate?
Compleat logically separates test and production environments though independent subscriptions and resource groups within Azure.
Who has access to customer data at Compleat?
Compleat follow the Principle of Least Privilege (PoLP).
This means that Compleat employees are given the minimum level of access and permissions needed to perform their job functions.
Do Compleat comply with PCI-DSS?
PCI DSS is the global data security standard designed to protect credit card and payment data and reduce payment card fraud.
Any card payments are handled entirely by our card payment provider, Stripe.
Stripe is PCI Service Provider Level 1 accredited.
How do Compleat identify and manage new vulnerabilities?
We have a defined vulnerability life cycle management process in place. This includes proactive and reactive activities to identify and manage new vulnerabilities.
We categorise new vulnerabilities based on their severity, and aim to remediate each severity level within the following timescales:
- Critical – ASAP from discovery
- High – ASAP from discovery
- Medium – 30 days from discovery
- Low – Added to continuous improvement product backlog
How often are independent security assessments undertaken?
We carry external threat tests at least once annually, and internal security reviews on a quarterly basis.
Is all customer data encrypted at rest to AES-256?
AES-256 is an industry standard encryption strength.
All of our customer data is encrypted at rest (ie. when stored in a database) to AES-256.
Is all customer data encrypted in transit to TLS 1.2?
TLS 1.2 (Transport Layer Security) is a protocol used to authenticate and encrypt data securely when it is transferred over a network.
All of our customer data is encrypted in transit to TLS 1.2. This keeps that data secure when it is handled and processed within different parts of our application.
How are Compleat's services hosted?
Compleat is hosted on Microsoft Azure across different regions, depending on when our customers are based.
How are Compleat's systems backed up?
We perform regular immutable backups of data and application configurations for a variety of periods depending on requirements.
Where is customer data stored?
Customer data is stored in Azure data centres specific to the customer’s geographic location to ensure appropriate data residency.
Our office locations have no physical server presence and we are completely paperless, meaning no customer data is stored at any of our premises.
What is Compleat's password policy?
Passwords must contain a minimum of 8 characters, have at least one number or special character, and at least one upper- and one lower-case letter.
What other authentication options are available within Compleat?
Compleat also supports SSO integration (Single Sign On) with Microsoft Entra ID (previously called Azure AD).
This enables our customers to log in with their Microsoft ID rather than our native email and password option.
What browsers are supported by Compleat?
Compleat runs on the latest versions of Chrome, Safari, Edge, Firefox and Opera.