How are Compleat's services hosted?
Where is customer data stored?
How are Compleat's systems backed up?
What authentication options are available?
Is there an incident response & recovery plan?
Is there a change management process?
How are test & production environments kept separate?
Who has access to customer data?
Do Compleat comply with PCI-DSS?
How are new vulnerabilities identified & managed?
How frequent are independent security assessments?
Is customer data encrypted at rest to AESS-256?
This page answers all of the frequently asked questions we receive from customers relating to Compleat's security.
Here, we answer questions about everything from customer data protection and payment fraud prevention, to data encryption and our privacy policies
How are Compleat's services hosted?
Compleat is a cloud-based solution hosted on Microsoft Azure.
To ensure we meet both operational needs and customer data geolocation requirements, we host our services in different Azure regions, tailored to where our customers are located.
Where is customer data stored?
Customer data is securely stored in the Azure UK South and South-Central US regional data centres based on customer’s geographic location and preference, ensuring compliance with data residency requirements.
Our office locations operate without physical servers and are entirely paperless, so no customer data is ever stored on our premises.
What browsers are supported by Compleat?
Compleat runs on the latest versions of Chrome, Safari, Edge, Firefox and Opera.
How are Compleat's systems backed up?
We regularly perform backups of both data and application configurations. Backups are held in geographically diverse locations and are kept on immutable storage.
What is Compleat's password policy?
Passwords must contain a minimum of 8 characters, have at least one number or special character, and at least one upper- and one lower-case letter.
What other authentication options are available within Compleat?
Compleat also supports SSO integration (Single Sign On) with Microsoft Entra ID (previously called Azure AD).
This enables our customers to log in with their Microsoft ID rather than our native email and password option.
Do Compleat have a privacy policy?
Yes - our privacy policy is available to view here.
Do Compleat have a formal and fully tested incident response and recovery plan?
Compleat have a tested and proven incident response process that we use as a framework for any incidents that occur.
Do Compleat have a change management process?
Compleat have a formal and appropriately audited change management process in place for both planned and unplanned changes.
How does Compleat keep its test and production environments separate?
Compleat logically separates test and production environments though independent subscriptions and resource groups within Azure.
Who has access to customer data at Compleat?
Compleat follow the Principle of Least Privilege (PoLP).
This means that Compleat employees are given the minimum level of access and permissions needed to perform their job functions.
Do Compleat comply with PCI-DSS?
PCI DSS is the global data security standard designed to protect credit card and payment data and reduce payment card fraud.
We do not store or process any credit card information ourselves, as all payments are securely managed by our payment provider, Stripe.
Stripe is PCI Service Provider Level 1 accredited.
How do Compleat identify and manage new vulnerabilities?
We have a defined vulnerability life cycle management process in place. This includes proactive and reactive activities to identify and manage new vulnerabilities.
We categorise new vulnerabilities based on their severity, and aim to remediate each severity level within the following timescales:
- Critical – ASAP from discovery
- High – ASAP from discovery
- Medium – 30 days from discovery
- Low – Added to continuous improvement product backlog
How often are independent security assessments undertaken?
We carry external threat tests at least once annually, and internal security reviews on a quarterly basis.
Is all customer data encrypted at rest to AES-256?
AES-256 is an industry standard encryption strength.
All of our customer data is encrypted at rest (ie. when stored in a database) to AES-256.
Is all customer data encrypted in transit to TLS 1.2?
TLS 1.2 (Transport Layer Security) is a protocol used to authenticate and encrypt data securely when it is transferred over a network.
All of our customer data is encrypted in transit using TLS 1.2 at minimum. This keeps that data secure when it is handled and processed within different parts of our application.
What certifications do Compleat hold?
ISO
ISO certification confirms that a service meets all the requirements for standardization and quality assurance according to the standards developed by the ISO (International Organization for Standardization).
Compleat adhere to many ISO standards and best practices, and we underpin our product with numerous ISO-compliant utilities from Microsoft Azure and other suppliers.
Compleat are not currently ISO certified, but ISO certification is on our roadmap, and we aim to obtain it in due course.
Cyber Essentials Plus
Compleat hold the Cyber Essentials Plus accreditation with a certification date of 17 April 2025. Our Cyber Essentials certification number is: a64251c4-84bd-4554-82d7-ca62101e9c4d.
This can be independently verified here.
Comments
0 comments
Please sign in to leave a comment.