Trust Center
Transparency into OneComply's security controls, architecture, and data residency.
AES-256 encryption for all data stored in our database and file storage.
TLS 1.3 enforced on all connections. HSTS enabled with preload.
Comprehensive audit trail for all data access and modifications.
Fine-grained RBAC with 9 roles from Viewer to Owner.
8-hour session timeout with progressive login lockout.
Automated dependency scanning and security audits.
Every primary service sits in the EU. Customer browsers terminate TLS at the Vercel edge in Frankfurt; application code runs in the same region; data is stored and processed in eu-central-1.
For the full technical picture see the developer documentation.
OneComply keeps primary application data, evidence files, authentication, and database backups in EU regions. Selected sub-processors may process limited operational metadata under DPA-backed terms, as listed below.
eu-central-1). Daily backups with 7-day point-in-time recovery stay in region.Customer evidence and application records remain in EU storage. Billing, email, and observability metadata are governed by the relevant sub-processor agreements.
OneComply is deployed with EU data residency as the default architecture: application hosting, database, authentication, and object storage are configured for European regions.
Vercel
Application hosting & CDN
EU (Frankfurt, fra1)
Supabase
PostgreSQL database & file storage
EU (Frankfurt, eu-central-1)
Stripe
Payment processing
EU (Dublin)
Resend
Transactional email
US (EU data routing)
OneComply implements strict multi-tenant isolation at every layer:
orgId, with automated tests covering critical cross-tenant paths.orgId/evidenceId/filename). Ownership is verified before every access.| Authentication Provider | Supabase Auth with server-side session checks | Active |
| Session Timeout | 8-hour inactivity timeout with automatic sign-out | Active |
| Login Protection | Progressive lockout: 1min → 5min → 15min → 60min after repeated failures | Active |
| API Rate Limiting | 120 requests/minute per IP with sliding window | Active |
| RBAC | 9 roles: Owner, Admin, Compliance Officer, Risk Manager, Control Owner, Member, Viewer, Auditor, External Vendor | Active |
| SSO / SAML | Enterprise SSO integration for organizational identity providers | Roadmap |
| MFA | Multi-factor authentication via authenticator apps | Active |
EU-based infrastructure, privacy controls, and DPA available to support GDPR-aligned processing.
Platform built to support DORA readiness workflows. Our own operations follow DORA-inspired resilience principles.
Independent audit of security, availability, and confidentiality controls.
Information security management system certification.
Annual third-party penetration testing of our application and infrastructure. Results are reviewed and remediated within defined SLAs.
Documented incident response plan with defined roles, escalation procedures, and communication templates. Security incidents are reported to affected customers within 72 hours per GDPR requirements.
Daily automated database backups with 7-day point-in-time recovery. RTO target: 4 hours. RPO target: 1 hour. DR runbook maintained and tested regularly.
Security-first development with code review, dependency scanning, and automated testing. Security headers (CSP, HSTS, X-Frame-Options) enforced on all responses.
| Provider | Service | Data Processed | Location |
|---|---|---|---|
| Supabase | Database, Auth, Storage | All application data | EU (Frankfurt) |
| Vercel | Hosting, CDN | Request logs, session data | EU (Frankfurt) |
| Stripe | Payments | Billing email, subscription | EU (Dublin) |
| Resend | Email address, invoice data | US (EU routing) |
All responses from OneComply include the following security headers:
To report a vulnerability or security concern, or to request our security documentation:
Security Team: security@onecomply.eu
Privacy Team: privacy@onecomply.eu