Security
You are about to put your regulatory exposure in our database. Here is exactly how it is protected — and what we have not done yet.
Your data lives on servers in Germany (Bavaria), on EU-owned infrastructure. There is no US region, no replication outside the EU, and no third-party processor holding a copy of your compliance record. For an EU AI Act tool that is not a marketing line — the record of your regulatory exposure should not leave the jurisdiction that regulates you.
All traffic is HTTPS, with certificates issued and rotated automatically by Let's Encrypt. HSTS is enabled with a one-year max-age, includeSubDomains and preload, so a browser will refuse to talk to us over plain HTTP even on a first visit.
Postgres publishes no host port. It is reachable only from the application container over a private bridge network — there is no address on the public internet where the database answers, so it cannot be scanned, brute-forced or reached at all from outside.
Passwords are hashed with argon2id — the memory-hard algorithm recommended by OWASP — never stored or logged in plaintext, and never recoverable by us. Login attempts are rate-limited per client IP, with the client address taken from a proxy header the edge rewrites so it cannot be spoofed.
A strict Content-Security-Policy, X-Frame-Options: DENY (we cannot be framed or clickjacked), and X-Content-Type-Options: nosniff. File uploads are checked by magic bytes rather than trusting the declared type, and CSV exports are escaped against spreadsheet formula injection.
The database is dumped every night and kept for fourteen days. The backup job fails loudly rather than quietly: if a dump errors, the partial file is deleted instead of being left behind to look like a valid backup.
Actions in your workspace are written to an append-only audit log with actor, action, entity and timestamp — the same record an auditor will ask you for. Evidence files are versioned and superseded rather than overwritten, so history cannot be quietly rewritten.
Security pages usually list only wins. Ours lists the gaps too, because you are buying a compliance product: if we shade the truth here, nothing else we tell you is worth much.
- We are not SOC 2 or ISO 27001 certified. We are a young, independent company and we will not display a badge we have not earned. If your procurement process requires a certified sub-processor, tell us before you buy, not after.
- We have not commissioned an external penetration test yet. When we do, we will say so here, with the date.
- Disk-level encryption at rest is not enabled on the database volume today. Data is encrypted in transit; at rest it is protected by host and network isolation. This is on our list and we would rather write that here than imply otherwise.
- We do not offer SSO/SAML yet. Access is email and password with argon2id hashing and rate limiting.
If you find a security issue, email support@getconformly.com with the details and how to reproduce it. We will acknowledge within two business days and we will not take legal action against anyone who reports a genuine issue in good faith and gives us a reasonable chance to fix it before going public.
Processing details, your rights and our sub-processors are in the Privacy Policy. Payments and card data are handled entirely by our merchant of record and never reach our servers — see Terms.