Security & Trust Center

All customer data is stored in Frankfurt, Germany (eu-central-1) using Supabase PostgreSQL. Serverless functions run on Vercel in the EU region (fra1). No customer data is transferred outside the European Economic Area (EEA).

This means your compliance data stays under EU jurisdiction at every layer of the stack — database, compute, and CDN edge.

All data in transit is protected with TLS 1.3. HSTS headers enforce HTTPS connections and prevent downgrade attacks.

Data at rest is encrypted via Supabase's underlying AWS infrastructure using AES-256 encryption. Database backups are encrypted with the same standard.

• Row-Level Security (RLS) enforced on all database tables — every query is scoped to the authenticated user's organization.
• Role-based access control with four roles: Owner, Admin, Editor, and Viewer — each with granular permissions.
• Organization-scoped data isolation — users can never access data belonging to another organization, even via direct API calls.

complixo maintains a hash-chained (SHA-256) append-only audit log. Every sensitive change — to controls, risks, evidence, test results, and settings — is recorded with:

• Who made the change (user ID and email)
• What was changed (entity type, field, old/new values)
• When it happened (server-side timestamp)
• Cryptographic chain linking each entry to the previous one, making tampering detectable

Audit logs are retained for 5 years to meet EU AI Act documentation requirements.

• Authentication powered by Supabase Auth with secure session management using HTTP-only cookies.
• Passwords are hashed using bcrypt with automatic salting — we never store plaintext passwords.
• Session tokens are short-lived with automatic refresh, reducing the window of exposure.

Our infrastructure consists of managed, enterprise-grade services:

• Vercel — hosting and serverless compute (EU region, fra1)
• Supabase — PostgreSQL database and authentication (Frankfurt, Germany)
• Stripe — payment processing (PCI DSS Level 1)

No self-hosted components. No servers to patch. Security updates are handled automatically by our infrastructure providers.

All responses include hardened security headers to protect against common web attacks:

• Content-Security-Policy (CSP) — prevents XSS and data injection
• Strict-Transport-Security (HSTS) — enforces HTTPS
• X-Frame-Options — prevents clickjacking
• X-Content-Type-Options — prevents MIME sniffing
• Referrer-Policy — controls information leakage
• Permissions-Policy — restricts browser feature access

All payment processing is handled by Stripe. No credit card numbers, CVVs, or sensitive payment data ever touch our servers. Stripe is PCI DSS Level 1 certified — the highest level of payment security compliance. We only store a Stripe customer ID and subscription status.

• GDPR compliant — lawful basis for processing, data minimization, right to erasure, right to portability
• EU-only hosting — no data transfers outside the EEA
• Full data export — export your data in PDF, Excel, CSV, or Word at any time
• Account deletion — delete your account and all associated data from Settings
• See our Privacy Policy for full details

We believe in transparency. Here is what complixo does not currently offer:

• No formal SLA — we target high availability but do not guarantee specific uptime percentages
• No SOC 2 certification — planned for the future as we grow
• No dedicated security team — security is handled by our engineering team with infrastructure-level protections
• Best-effort incident response — we investigate and respond promptly but without contractual response times

complixo is designed for SMBs and consultants. If your organization requires enterprise procurement processes (vendor risk questionnaires, custom DPAs, dedicated infrastructure), complixo may not be the right fit today.

For security-related inquiries, contact us at security@complixo.com. We aim to acknowledge all security inquiries within 2 business days.

If you discover a security vulnerability, we appreciate your help in disclosing it responsibly:

• Email security@complixo.com with a description of the vulnerability
• Include steps to reproduce the issue, if possible
• Allow us reasonable time to investigate and address the issue before any public disclosure
• Do not access, modify, or delete data belonging to other users

We will not take legal action against researchers who follow these guidelines.