Security & trust

Your authority is your livelihood, and the documents in your vault prove it. Here is exactly how we protect them — including, further down, what we haven't done yet. Most security pages don't have that section; in this industry, we think it's the part that earns trust.

Tenant isolation, enforced by the database

Every company's data is walled off with Postgres Row-Level Security — the database itself refuses cross-tenant reads and writes even if application code had a bug. We verify this with automated cross-tenant tests against the live schema.

Immutable audit log

Sensitive actions (profile changes, document activity, deletions, billing) are recorded in an append-only log. UPDATE and DELETE are revoked at the database level and blocked by a trigger — history can't be quietly rewritten, including by us.

Encryption everywhere

TLS 1.3 in transit with HSTS preload; AES-256 at rest for the database and document storage. Documents live in private storage — never public URLs.

Access control & MFA

Multi-factor authentication is enforced on every operational account (code, hosting, database, auth, billing). Application access checks run server-side on every request — the client is never trusted.

Change management & scanning

Every change ships through a pull request with required CI: type checks, lint, tests, production build, CodeQL static analysis, dependency audit, and secret scanning. Each merged PR is a change record.

Your data, your exit

One-click permanent account deletion in Settings cascades across the database, auth, documents, and billing (and cancels any subscription). Free-tool data has purpose-keyed retention — see the privacy policy.

Certification status — the honest version

1Kompliance is built to SOC 2 Type II and ISO 27001 control standards from day one: the controls above are designed against those frameworks, our policies, system security plan, and threat model are maintained under version control, and we run a NIST 800-171-aligned self-assessment.

We have not yet completed an independent SOC 2 audit. A Type II report requires months of observed evidence and an outside auditor; we will open that observation window before enterprise or partner data flows through the platform, and this page will say so when the report exists. Until then we'd rather tell you plainly than imply otherwise — vague security pages are exactly the kind of thing this company was built against.

Subprocessors

The services that touch your data, what they do, and their own independent certifications:

ProviderPurposeCertifications
  • VercelApplication hosting & edge networkSOC 2 Type II
  • NeonPostgres databaseSOC 2 Type II · ISO 27001
  • ClerkAuthentication & MFASOC 2 Type II
  • StripePayments (card data never touches us)PCI DSS Level 1 · SOC 2
  • ResendTransactional emailSOC 2 Type II
  • SentryError monitoringSOC 2 Type II · ISO 27001

Found a vulnerability?

Email support@1kompliance.com (also published at /.well-known/security.txt). We read every report, respond quickly, and will never respond to good-faith research with legal threats.

This page is part of the product: when our security posture changes, this page changes in the same pull request.

Related: Privacy policy · Terms · How we make money