How ComplianceIQ Handles Your Data

Last updated: 23 March 2026

Data Flow Overview

When you upload a document or ask a question, here is exactly what happens to your data:

  1. 1Your browser sends data to ComplianceIQ servers (Vercel, UK/EU edge) [encrypted: TLS 1.2+]
  2. 2Document stored in Supabase database (AWS eu-west-2, London) [encrypted at rest: AES-256]
  3. 3Text extracted and processed on our servers [no third-party access]
  4. 4Text chunks sent to OpenAI API for embedding generation [see OpenAI section below]
  5. 5Your question sent to Anthropic Claude API for answer generation [see Anthropic section below]
  6. 6Response returned to your browser [encrypted: TLS 1.2+]

Your Browser

TLS 1.2+ encrypted

ComplianceIQ

Vercel (UK/EU edge)

encrypted

Supabase

UK (London)

AES-256 at rest

text chunks

OpenAI

US (embeddings only)

No training on API data

question + context

Anthropic

US (answers only)

No training on API data

payment data

Stripe

US (PCI DSS)

We never see card numbers

UK/EU hosted
US processed (SCCs in place)

Third-Party Sub-Processors

Required under UK GDPR. The following sub-processors may access your data as part of providing ComplianceIQ:

Sub-processorPurposeData processedLocationDPA
SupabaseDatabase, storage, authenticationAll customer dataUK (AWS London, eu-west-2)Signed
VercelApplication hosting, edge functionsRequest dataEU/UK edgeSigned
OpenAIText embedding generationDocument text chunksUSSigned
AnthropicAI response generationQuestions + contextUSSigned
StripePayment processingPayment dataUSSigned
ResendEmail deliveryEmail addresses, message contentUSSigned
UpstashRate limitingIP addresses, user IDsEUSigned

AI Provider Data Handling

AI providers process your data to generate responses and embeddings. They do not retain your data beyond the processing request and do not use it to train their models.

OpenAI (Embeddings)

  • We send document text chunks (typically 500-1000 tokens each) for mathematical vector generation.
  • API data is excluded from model training per their data usage policy.
  • Data retention: up to 30 days for abuse monitoring, then deleted.
  • DPA: openai.com/policies/data-processing-addendum

Anthropic (AI Responses)

  • We send your question and relevant context chunks for compliance answer generation.
  • API data is not used for model training.
  • Zero-data-retention options available for Enterprise API.
  • DPA: anthropic.com/legal/data-processing-addendum

What We Do NOT Do

  • xWe never sell your data
  • xWe never share your data with other customers (Row-Level Security isolation)
  • xWe never use your data to train AI models
  • xWe never access your documents unless required for support (and only with your permission)
  • xWe never store payment card details

International Data Transfers

Stays in the UK

  • Your original documents (AWS London via Supabase)
  • Your account information
  • Your conversations and compliance data
  • Your audit results and compliance scores

Processed in the US

  • Document text chunks (OpenAI for embeddings)
  • Questions and context (Anthropic for responses)
  • Payment data (Stripe, PCI DSS compliant)

Legal basis: Standard Contractual Clauses (SCCs) agreed with each US-based sub-processor. All providers maintain appropriate technical and organisational security measures.

For customers requiring all data to remain in the UK, please contact us about our Enterprise plan options.

Backup & Recovery

ComplianceIQ data is backed up daily with point-in-time recovery capability. Backups are retained in accordance with our hosting provider's plan. In the event of data loss, we can restore to any point within the retention period.

Recovery time objective (RTO): 4 hours for full service restoration.

Security Measures

Encryption in transit

TLS 1.2+ on all connections

Encryption at rest

AES-256 (Supabase managed)

Tenant isolation

Row-Level Security (RLS) on all data

File scanning

All uploads scanned for malicious content

Rate limiting

API rate limiting on all endpoints

Input validation

Server-side validation on all inputs

Security logging

All security events logged and monitored

CSP headers

Content Security Policy on all responses

Incident Response Plan

1. Detection

Security events are monitored via our security log, Vercel analytics, and Supabase monitoring. Critical events trigger immediate admin notification.

2. Classification

  • P1 Critical: Data breach, service outage, authentication bypass
  • P2 High: Suspected breach, partial outage, vulnerability discovered
  • P3 Medium: Failed attack detected, performance degradation
  • P4 Low: Minor security event, policy violation

3. Response Timeline

  • P1: Response within 1 hour. Customer notification within 24 hours. ICO notification within 72 hours if personal data breach.
  • P2: Response within 4 hours. Assessment within 24 hours.
  • P3: Response within 24 hours.
  • P4: Logged and reviewed weekly.

4. Notification

Affected customers will be notified by email with: what happened, what data was affected, what we are doing about it, and what they should do. The ICO will be notified within 72 hours if a personal data breach occurs (UK GDPR requirement).

5. Recovery

Contain the incident, restore from backups if needed, patch the vulnerability, and conduct a post-incident review to update security measures.

Your Rights & Related Policies

Under UK GDPR, you have the right to access, rectify, erase, restrict processing of, and export your data.

  • Right to deletion:Delete your account and all data is erased within 30 days. Use the "Delete my account" option in Settings.
  • Right to export: Download all your data at any time from Settings.
Privacy Policy|Terms of Service|Cookie Policy|Data Processing Agreement

Contact

Security concerns: security@complianceiq.co.uk

Data protection: dpo@complianceiq.co.uk