Trust & Security, OneStepWise

Security Controls

All data encrypted at rest (AES-256) and in transit (TLS 1.3)
Integration tokens stored in AES-256-GCM vault, never in plaintext
HMAC-chained evidence ledger, tamper-evident append-only audit log
All API keys and secrets stored as environment secrets, never in code
Clerk-powered authentication with MFA support and session management
Role-based access control (RBAC) across all dashboard panels
Intrusion detection system (IDS) monitors all inbound requests in real time
Automated weekly vulnerability scanning via CI pipeline
Dependency audits on every commit (npm audit + Dependabot)
Branch protection and required code reviews on all production changes

Compliance & Certifications

SOC 2 Type I preparation In progress

GDPR compliance Active

Data Processing Agreements (DPAs) Available on request

Penetration test 2026, completed

Service status View live status →

Data Handling

What we store

Assessment answers, compliance scores, generated policies, integration OAuth tokens (encrypted), and evidence artifacts. We never store raw source code.

Data residency

All customer data is stored in Supabase (PostgreSQL) hosted on AWS US-East-1. Vercel Edge Functions may process requests globally.

Retention

Your data is retained for the duration of your subscription plus 90 days. You can request deletion at any time by emailing privacy@mycomplai.com.

AI processing

Assessment data is sent to Anthropic Claude API to generate gap reports and policies. Anthropic does not use API data to train models.

Subprocessors

We use the following third-party services to deliver OneStepWise. All subprocessors are bound by data processing agreements.

Vercel

Application hosting and edge functions

Privacy policy →

Supabase

PostgreSQL database (customer data storage)

Privacy policy →

Anthropic

AI models for gap analysis and policy generation

Privacy policy →

Clerk

User authentication and session management

Privacy policy →

Stripe

Payment processing and subscription management

Privacy policy →

Resend

Transactional email delivery

Privacy policy →

Sentry

Application error monitoring

Privacy policy →

Responsible Disclosure

If you discover a security vulnerability in OneStepWise, please report it responsibly. We commit to acknowledging reports within 48 hours and providing a fix timeline within 5 business days.

Found a vulnerability? Email our security team directly.

security@mycomplai.com

Contact

Security questions

security@mycomplai.com

Privacy & data requests

privacy@mycomplai.com

DPA & enterprise agreements

legal@mycomplai.com

General enquiries

hello@mycomplai.com

How we protectyour data

Security Controls

Compliance & Certifications

Data Handling

Subprocessors

Responsible Disclosure

Contact

How we protect
your data