Security
How CompliAI protects your data and the platform.
Data in Transit
All data transmitted between your browser and CompliAI is encrypted via TLS 1.3. API calls to AI providers use encrypted connections. No data is transmitted over unencrypted channels.
Infrastructure
CompliAI is deployed on Vercel's globally distributed edge infrastructure, which is built on AWS. Infrastructure-level security, DDoS protection, and availability monitoring are managed by Vercel.
AI Data Practices
Your personalization inputs for document generation are sent to Anthropic's Claude API. We do not store these inputs beyond the generation request. Your data is never used to train AI models — by CompliAI or by Anthropic, per their API terms.
Payment Security
Payments are handled entirely by Stripe. CompliAI never stores, processes, or transmits payment card data. Stripe is PCI DSS Level 1 certified — the highest level of payment security certification.
Access Control
User authentication is managed by industry-standard session tokens. API keys and secrets are stored as environment variables and are never exposed to the client. We apply the principle of least privilege across all system components.
Session Data
Assessment results are stored in your browser's session storage and are not transmitted to our servers. This data is cleared when you close your browser tab. We do not track your assessment answers server-side without explicit account creation.
Responsible Disclosure
If you discover a security vulnerability in CompliAI, please report it to security@compliaiapp.com. We will investigate and respond within 72 hours. We ask that you do not publicly disclose vulnerabilities until we have had the opportunity to address them.