complair.
Language
English Deutsch Français Español
Get started — free
Trust

Security at Complair

We build a compliance product — so we hold ourselves to the same standard we help our customers achieve. Here is how we protect your data.

EU-hosted AES-256 TLS 1.2+ Last updated April 17, 2026

1. Security overview

Complair is a compliance workspace that processes sensitive regulatory data. Security is not an afterthought — it is a core product requirement. We apply defence in depth: multiple layers of protection so that no single point of failure can compromise customer data.

EU
Data residency
AES-256
At rest
TLS 1.2+
In transit

2. Infrastructure & hosting

  • Provider: Hetzner Online GmbH — a German hosting company with ISO 27001-certified data centres.
  • Location: Frankfurt, Germany (European Union). All application data — database, backups, file storage — stays in the EU.
  • Database: PostgreSQL, running on dedicated instances with encrypted storage volumes.
  • Network: Firewall rules enforce least-privilege access. SSH key-only access; no password-based server login. All management traffic is encrypted.
  • Patching: Operating system and dependency updates are applied regularly. Critical security patches are applied within 24 hours of disclosure.
Core

3. Encryption

Layer Standard Details
In transitTLS 1.2+All HTTP traffic is served over HTTPS. HSTS is enabled. TLS 1.0 and 1.1 are disabled.
At restAES-256Database storage volumes, backups, and any file uploads are encrypted at rest.
PasswordsbcryptUser passwords are hashed with bcrypt (cost factor 12). We never store plaintext passwords.
BackupsAES-256Daily encrypted backups with tested restore procedures. Rotated out of cold storage within 35 days.

4. Authentication & access control

  • Authentication: Devise-based session management with secure, HTTP-only, same-site cookies. Sessions are scoped to the workspace.
  • Password policy: Minimum length enforced; breached-password detection via Devise's built-in checks.
  • Role-based access: Three roles (member, admin, owner) enforced via Pundit authorization policies on every controller action.
  • Invitation-only workspaces: New users can only join a workspace through an explicit invitation from an admin or owner.
  • Session management: Sessions expire after inactivity.
Architecture

5. Tenant isolation

Complair is a multi-tenant application. Every data record belongs to a single company. Isolation is enforced at the database layer:

  • Application scoping: Authenticated app controllers resolve the current company and load tenant-owned records through that company. Selected high-risk models also use acts_as_tenant as an additional guard.
  • Authorization layer: Pundit policies provide a second check — even if a record were somehow loaded, access would be denied unless the user belongs to the correct company.
  • Tested: Multi-tenant isolation is covered by automated tests that verify cross-tenant access is blocked.

6. Application security

  • Framework protections: Rails provides built-in defenses against CSRF, XSS, SQL injection, mass assignment, and clickjacking. All are enabled.
  • Content Security Policy: A CSP header is enforced to reduce cross-site scripting and data injection risk.
  • Dependency scanning: Automated scanning for known vulnerabilities in Ruby gems and JavaScript packages. Alerts are triaged within 24 hours.
  • Static analysis: Brakeman (Rails security scanner) runs as part of the CI pipeline. New findings block deployment.
  • Rate limiting: Rack::Attack throttles authentication attempts, API calls, and other abuse vectors.
  • Parameter filtering: Sensitive fields (passwords, tokens, API keys) are filtered from logs.

7. Data handling

  • Data minimisation: We collect only what is necessary to provide the Service. Logs are stripped of sensitive fields.
  • AI processing: When AI features are used, prompts are sent to Anthropic (Claude API) under their commercial API terms. Anthropic does not use prompt data to train models. We do not use Customer Data to train our own models.
  • Retention: Customer Data is retained for the lifetime of the subscription + 30 days for export. Backups are rotated within 35 days. Invoices are retained for 10 years per Romanian accounting law (Law 82/1991).
  • Deletion: Upon account termination, all Customer Data is permanently deleted from production within 30 days. Customers can request earlier deletion.
  • Portability: Customers can export their data at any time in PDF, Excel, and structured formats.

8. Monitoring & logging

  • Application logging: Structured logs for authentication events, authorization decisions, data access, and administrative actions.
  • Audit trail: All significant user actions are recorded in an immutable audit log accessible to workspace admins.
  • Error monitoring: Sentry (EU-hosted) captures application errors with personal data scrubbed from stack traces.
  • Alerting: Anomaly detection for failed login spikes, unusual API usage patterns, and infrastructure health.
  • Log retention: Application logs retained for 30 days. Audit logs retained for 2 years.
Critical

9. Incident response

We maintain a documented incident response plan covering identification, containment, eradication, recovery, and post-mortem analysis.

  • Detection: Automated monitoring and alerting detect anomalies in real time.
  • Notification: If a confirmed personal data breach affects Customer Data, we notify the affected Customer within 48 hours and the relevant supervisory authority within 72 hours where required by GDPR.
  • Communication: Affected customers receive clear, actionable information about the nature, scope, and recommended mitigation steps.
  • Post-mortem: Every security incident is followed by a blameless post-mortem. Lessons learned are fed back into our security controls.

10. Personnel security

  • All staff with access to Customer Data sign confidentiality agreements.
  • Access to production systems follows the principle of least privilege and is reviewed quarterly.
  • Security awareness training is conducted annually.
  • Offboarding procedures ensure all access is revoked immediately upon departure.

11. Certifications & compliance

Standard Status
GDPRAligned controls
EU AI ActReadiness tooling
SOC 2 Type IIIn progress
ISO 27001Planned

We are actively working toward SOC 2 Type II certification. If you need a current security questionnaire or evidence package, please contact security@complair.eu.

12. Responsible disclosure

We welcome responsible security research. If you discover a vulnerability in Complair, please report it to security@complair.eu.

  • Please provide a clear description of the vulnerability and steps to reproduce.
  • Give us reasonable time to investigate and fix the issue before public disclosure.
  • Do not access, modify, or delete data belonging to other customers.
  • We will acknowledge receipt within 2 business days and aim to resolve confirmed issues within 30 days.

13. Contact

Security questions, vendor questionnaire requests, or incident reports:

VISTE FORGE SRL
Strada Fântânilor nr. 43, 700334 Iași, Romania
Trade Register: ROONRC.J2026030585005 · CUI: 54651342 · Share capital: 500 RON