Security Policy

SmartComply maintains SOC 2-aligned security controls and readiness evidence. A formal Security-only SOC 2 Type 1 audit is on the roadmap as the enterprise procurement motion matures.

Our initial planned audit scope is Security-only SOC 2 Type 1 for the production SaaS, customer compliance data, authentication, cloud infrastructure, source control, deployment pipeline, monitoring, and critical vendors.

SmartComply uses tenant isolation, role-aware access, encrypted transport, managed hosting, audit logging, protected authentication cookies, MFA for administrative systems where supported, and least-privilege operational access where practical.

We design product workflows around traceable record changes, signed documents, immutable audit evidence, and support access controls for customer environments.

We investigate suspected security events, work to contain confirmed issues, and notify affected customers when legally required or when notice is otherwise appropriate.

Send security reports to security@smartcomply.app with enough detail to reproduce the issue. Please avoid accessing customer data, destructive testing, or service disruption.