Security, privacy, and compliance

Compholis Trust Centre

We are building a transparent assurance program so customers, auditors, and regulators understand exactly where our controls stand today and what certifications are on the near-term roadmap.

0
Certifications issued
yet
10
Frameworks in-flight
for FY26
60+
Operational controls
documented

Need something specific?

Contact our security team

Email security@compholis.com for tailored questionnaires, DPAs, or to request evidence packages.

Average response time: under 1 business day.

Compliance roadmap

Framework status

We have not yet completed formal certification for the frameworks below. Each programme is actively being implemented with targeted audit windows.

In progress

ISO 27001:2022

ISMS rollout underway. Internal readiness assessment scheduled for Q2 2026.

In progress

ISO/IEC 42001:2023

AI management system governance mapped with policy drafting planned for H2 2026.

In progress

ISO 27701

Privacy Information Management System being layered onto the ISMS controls.

In progress

ISO 27017

Cloud provider shared responsibility controls tracked as part of infrastructure workstream.

In progress

ISO 27018

Public cloud privacy safeguards aligned with product and data governance tracks.

In progress

SOC 2 Type II

Trust Services Criteria mapped; observation window planned to open in 2026.

In progress

GDPR

Full compliance programme in progress, including EU representative appointment and RoPA.

In progress

CCPA

California privacy enhancements incorporated into global privacy policy refresh.

In progress

PCI DSS 4.0.1

Cardholder data environment not yet in scope; foundational controls being prepared.

In progress

Cyber Essentials +

Technical controls aligned; awaiting independent assessor engagement.

Status legend: “In progress” indicates that policies, controls, and evidence gathering are underway but third-party certification has not yet been completed.

Control catalogue

Documented safeguards

Every control below is operational today and monitored by the security team. Status icons indicate that the control is live and routinely reviewed.

Infrastructure Security

Technical safeguards protecting our production hosting environments.

Control Status Description

Service infrastructure maintained

Operational

The company has infrastructure supporting the service patched as a part of routine maintenance and as a result of identified vulnerabilities to help ensure that servers supporting the service are hardened against security threats.

Production data backups conducted

Operational

The company performs periodic backups for production data. Data is backed up to a different location than the production system.

Database replication utilized

Operational

The company's databases are replicated to a secondary data center in real-time. Alerts are configured to notify administrators if replication fails.

Production database access restricted

Operational

The company restricts privileged access to databases to authorized users with a business need.

Remote access MFA enforced

Operational

The company's production systems can only be remotely accessed by authorized employees possessing a valid multi-factor authentication (MFA) method.

Production network access restricted

Operational

The company restricts privileged access to the production network to authorized users with a business need.

Unique production database authentication enforced

Operational

The company requires authentication to production datastores to use authorized secure authentication mechanisms, such as unique SSH key.

Remote access encrypted enforced

Operational

The company's production systems can only be remotely accessed by authorized employees via an approved encrypted connection.

Encryption key access restricted

Operational

The company restricts privileged access to encryption keys to authorized users with a business need.

Production data segmented

Operational

The company prohibits confidential or sensitive customer data, by policy, from being used or stored in non-production systems/environments.

Production application access restricted

Operational

System access restricted to authorized access only.

Log management utilized

Operational

The company utilizes a log management tool to identify events that may have a potential impact on the company's ability to achieve its security objectives.

Unique network system authentication enforced

Operational

The company requires authentication to the "production network" to use unique usernames and passwords or authorized Secure Socket Shell (SSH) keys.

Firewall access restricted

Operational

The company restricts privileged access to the firewall to authorized users with a business need.

Data encryption utilized

Operational

The company's datastores housing sensitive customer data are encrypted at rest.

Segregation in virtual computing environments

Operational

A cloud service customer's virtual environment running on a cloud service should be protected from other cloud service customers and unauthorized persons.

Unique account authentication enforced

Operational

The company requires authentication to systems and applications to use unique username and password or authorized Secure Socket Shell (SSH) keys.

Production multi-availability zones established

Operational

The company has a multi-location strategy for production environments employed to permit the resumption of operations at other company data centers in the event of loss of a facility.

Organizational Security

People processes, onboarding commitments, and governance requirements.

Control Status Description

Employee background checks performed

Operational

The company performs background checks on new employees.

Security awareness training implemented

Operational

The company requires employees to complete security awareness training within thirty days of hire and at least annually thereafter.

Confidentiality Agreement acknowledged by contractors

Operational

The company requires contractors to sign a confidentiality agreement at the time of engagement.

Production inventory maintained

Operational

The company maintains a formal inventory of production system assets.

Confidentiality Agreement acknowledged by employees

Operational

The company requires employees to sign a confidentiality agreement during onboarding.

Asset disposal procedures utilized

Operational

The company has electronic media containing confidential information purged or destroyed in accordance with best practices, and certificates of destruction are issued for each device destroyed.

Whistleblower policy established

Operational

The company has established a formalized whistleblower policy, and an anonymous communication channel is in place for users to report potential issues or fraud concerns.

Internal Security Procedures

Process-oriented controls governing resilience, incident handling, and governance.

Control Status Description

Continuity and disaster recovery plans tested

Operational

The company has a documented business continuity/disaster recovery (BC/DR) plan and tests it at least annually.

Incident response plan tested

Operational

The company tests their incident response plan at least annually.

Access requests required

Operational

The company ensures that user access to in-scope system components is based on job role and function or requires a documented access request form and manager approval prior to access being provisioned.

Backup processes established

Operational

The company's data backup policy documents requirements for backup and recovery of customer data.

Vendor management program established

Operational

The company has a vendor management program in place. Components of this program include: critical third-party vendor inventory; vendor's security and privacy requirements; and review of critical third-party vendors at least annually.

Incident response policies established

Operational

The company has security and privacy incident response policies and procedures that are documented and communicated to authorized users.

Configuration management system established

Operational

The company has a configuration management procedure in place to ensure that system configurations are deployed consistently throughout the environment.

Management roles and responsibilities defined

Operational

The company management has established defined roles and responsibilities to oversee the design and implementation of information security controls.

Service description communicated

Operational

The company provides a description of its products and services to internal and external users.

Security policies established and reviewed

Operational

The company's information security policies and procedures are documented and reviewed at least annually.

Support system available

Operational

The company has an external-facing support system in place that allows users to report system information on failures, incidents, concerns, and other complaints to appropriate personnel.

Roles and responsibilities specified

Operational

Roles and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of information security controls are formally assigned in job descriptions and/or the Roles and Responsibilities policy.

Data center access reviewed

Operational

The company reviews access to the data centers at least annually.

Physical access processes established

Operational

The company has processes in place for granting, changing, and terminating physical access to company data centers based on an authorization from control owners.

Third-party agreements established

Operational

The company has written agreements in place with vendors and related third-parties. These agreements include confidentiality and privacy commitments applicable to that entity.

Incident management procedures followed

Operational

The company's security and privacy incidents are logged, tracked, resolved, and communicated to affected or relevant parties by management according to the company's security incident response policy and procedures.

Development lifecycle established

Operational

The company has a formal systems development life cycle (SDLC) methodology in place that governs the development, acquisition, implementation, changes (including emergency changes), and maintenance of information systems and related technology requirements.

Cybersecurity insurance maintained

Operational

The company maintains cybersecurity insurance to mitigate the financial impact of business disruptions.

Continuity and Disaster Recovery plans established

Operational

The company has Business Continuity and Disaster Recovery Plans in place that outline communication plans in order to maintain information security continuity in the event of the unavailability of key personnel.

AI Security & Compliance

Controls aligned to ISO/IEC 42001 and responsible AI expectations.

Control Status Description

AI system impact assessment

Operational

The organization shall perform AI system impact assessments according to 6.1.4 at planned intervals or when significant changes are proposed to occur. The organization shall retain documented information of the results of all AI system impact assessments.

Determining the scope of the AI management system

Operational

The organization shall determine the boundaries and applicability of the AI management system to establish its scope. When determining this scope, the organization shall consider: the external and internal issues referred to in 4.1; the requirements referred to in 4.2. The scope shall be available as documented information. The scope of the AI management system shall determine the organization’s activities with respect to this document’s requirements on the AI management system, leadership, planning, support, operation, performance, evaluation, improvement, controls and objectives.

AI objectives and planning

Operational

The organization shall establish AI objectives at relevant functions and levels. The AI objectives shall be consistent with the AI policy, be measurable, take into account applicable requirements, be monitored, be communicated, be updated as appropriate, and be available as documented information. Planning includes defining work, resources, responsibilities, deadlines, and evaluation methods.

Monitoring, measurement, analysis

Operational

The organization shall determine what needs to be monitored and measured, the methods, timing, and evaluation of results. Documented information shall evidence performance and effectiveness of the AI management system.

General (internal audit)

Operational

The organization shall conduct internal audits at planned intervals to provide information on whether the AI management system conforms to requirements and is effectively implemented and maintained.

Continual improvement

Operational

The organization shall continually improve the suitability, adequacy and effectiveness of the AI management system.

Nonconformity and corrective action

Operational

When a nonconformity occurs, the organization reacts, evaluates causes, implements action, reviews effectiveness, and keeps evidence of nonconformities and corrective actions.

AI policy (documented)

Operational

The organization should document a policy for the development or use of AI systems.

External reporting

Operational

The organization should provide capabilities for interested parties to report adverse impacts of the system.

Communication of incidents

Operational

The organization should determine and document a plan for communicating incidents to users of the system.

Information for interested parties

Operational

The organization should determine and document its obligations to reporting information about the AI system to interested parties.

Processes for responsible use of AI

Operational

The organization should define and document the processes for the responsible use of AI systems.

Objectives for responsible use of AI

Operational

The organization should identify and document objectives to guide the responsible use of AI systems.

Intended use of the AI system

Operational

The organization should ensure that the AI system is used according to the intended uses of the AI system and its accompanying documentation.

Understanding the organization and its context

Operational

The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended result(s) of its AI management system. The organization shall determine whether climate change is a relevant issue and consider the intended purpose of AI systems.

Understanding the needs and expectations of interested parties

Operational

The organization shall determine the interested parties that are relevant to the AI management system, their requirements, and which requirements will be addressed.

AI management system

Operational

The organization shall establish, implement, maintain, continually improve and document an AI management system, including the processes needed and their interactions.

Leadership and commitment

Operational

Top management shall demonstrate leadership and commitment with respect to the AI management system, ensuring resources, integration, communications, and continual improvement.

AI policy (top management)

Operational

Top management shall establish an AI policy that is appropriate, provides a framework for objectives, meets requirements, and is communicated and made available.

Roles, responsibilities and authorities

Operational

Top management assigns responsibility and authority for ensuring conformity and reporting on AI management system performance.

Awareness

Operational

Persons doing work under the organization’s control are aware of the AI policy, their contributions, and implications of not conforming.

Communication

Operational

The organization determines internal and external communications relevant to the AI management system.

Documented information (general)

Operational

The organization’s AI management system includes documented information required by the standard and what the organization deems necessary.

Creating and updating documented information

Operational

When creating and updating documentation, the organization ensures appropriate identification, format, media, and review/approval.

AI risk treatment (plan execution)

Operational

The organization implements the AI risk treatment plan, verifies effectiveness, and updates the plan when needed.

Internal audit programme

Operational

The organization plans, establishes, implements, and maintains audit programmes covering objectives, scope, methods, and reporting.

General management review

Operational

Top management reviews the AI management system to ensure suitability, adequacy, and effectiveness.

Management review inputs

Operational

Management review covers prior actions, changes in context, needs of interested parties, performance data, and improvement opportunities.

Management review results

Operational

Results include decisions on continual improvement and needed changes, retained as documented information.

Reporting of concerns

Operational

The organization defines and implements a process to report concerns about its role with respect to an AI system throughout its life cycle.

Control of documented information

Operational

Documented information required by the AI management system is controlled to ensure availability, suitability, and protection.

Planning for the AI management system

Operational

The organization considers issues, requirements, risks, and opportunities to assure the AI management system achieves intended results and supports continual improvement.

AI risk assessment (process definition)

Operational

The organization defines and establishes an AI risk assessment process aligned with policy and objectives.

AI risk treatment (process definition)

Operational

Taking risk assessment results into account, the organization defines a treatment process including selecting options and verifying controls.

AI risk assessment (execution)

Operational

AI risk assessments are performed at planned intervals or upon significant change, with documented results.

AI system deployment

Operational

The organization documents deployment plans and ensures requirements are met before deployment.

AI system recording of event logs

Operational

The organization determines life-cycle phases requiring event logs, ensuring logging at minimum when AI systems are in use.

Quality of data for AI systems

Operational

Data quality requirements are defined and enforced for datasets used to develop and operate AI systems.

System documentation and information

Operational

Necessary system information is provided to users.

Product Security

Security engineering safeguards for the platform itself.

Control Status Description

Penetration testing performed

Operational

The company's penetration testing is performed at least annually. A remediation plan is developed and changes are implemented to remediate vulnerabilities in accordance with SLAs.

Data encryption utilized

Operational

The company's datastores housing sensitive customer data are encrypted at rest.

Vulnerability and system monitoring procedures established

Operational

The company's formal policies outline the requirements for vulnerability management and system monitoring.

Data & Privacy

Data and Privacy

Privacy-forward controls supporting GDPR, CCPA, and other regulatory regimes.

Control Status Description

Operational

The company has a privacy policy in place that documents and clearly communicates to individuals the extent of personal information collected, the company's obligations, the individual's rights to access, update, or erase their personal information, and an up-to-date point of contact where individuals can direct their questions, requests or concerns.

Data retention procedures established

Operational

The company has formal retention and disposal procedures in place to guide the secure retention and disposal of company and customer data.

Privacy compliant procedures established

Operational

The company has documented processes and procedures in place to ensure that any privacy-related complaints are addressed, and the resolution is documented in the company's designated tracking system and communicated to the individual.

Operational

The company has a privacy policy available to customers, employees, and/or relevant third parties who need them before and/or at the time information is collected from the individual.

Operational

The company reviews the privacy policy as needed or when changes occur and updates it accordingly to ensure it is consistent with the applicable laws, regulations, and appropriate standards.

Operational

The company has established a privacy policy that uses plain and simple language, is clearly dated, and provides information related to the company's practices and purposes for collecting, processing, handling, and disclosing personal information.

Data classification policy established

Operational

The company has a data classification policy in place to help ensure that confidential data is properly secured and restricted to authorized personnel.

Data deletion requests handled

Operational

The company validates deletion requests and once confirmed are flagged and the requested information is deleted, in accordance with applicable laws and regulations.

Continuity and Disaster Recovery plans established

Operational

Continuity and Disaster Recovery plans tested annually

Operational

The company has a documented business continuity/disaster recovery (BC/DR) plan and tests it annually.

Limit collection

Operational

The company limits collection of PII to the minimum that is necessary for its purposes.

Appoint EU representative

Operational

The company shall appoint an EU based representative.

Customer data deleted upon leave

Operational

The company purges or removes customer data containing confidential information from the application environment, in accordance with best practices, when customers leave the service.

PII transmission controls for processor

Operational

The company encrypts PII in transit.

PII transmission controls for controller

Operational

The company implements technical controls to ensure data transmitted to third parties reaches its destination.