PlatformIntegrationsManifestoBlog
Login GitHub

Security Policy

Last updated: May 29, 2026

CompFly AI, Inc (CompFly) maintains a security program designed to protect customer data and the integrity of the CompFly platform. Additional detail and current attestations are available via request ([email protected]).

Security Commitments

Data Protection

  • Customer data is encrypted in transit using TLS 1.2 or higher
  • Customer data is encrypted at rest using AES-256
  • Customer environments are logically isolated
  • Production infrastructure is hosted in a major cloud platform whose own security controls are evaluated annually

Access Control

  • Production system access is restricted on a least-privilege basis
  • Multi-factor authentication is required for production system access
  • Personnel access is reviewed at least annually and revoked on departure or role change

Personnel

  • Pre-employment screening, including identity and work authorization verification, is required before access to CompFly systems is granted
  • Personnel acknowledge confidentiality and security policies at hire and at least annually
  • Annual security awareness training is required

Software Development

  • Production code changes are reviewed and approved before merge
  • Automated dependency scanning and secret scanning are required on production code changes
  • Production branches are protected

Incident Response

  • CompFly maintains a documented incident response program and severity classification
  • Customers are notified of confirmed security incidents involving their data in accordance with applicable law, applicable contracts, and the Incident Disclosure Policy
  • The incident response process is exercised at least annually

Vendor Management

  • Critical vendors processing customer data are subject to security review at onboarding and annually thereafter
  • Data processing agreements or equivalent confidentiality terms are in place with vendors processing customer data
  • A current list of subprocessors is maintained and made available to customers

Business Continuity

  • Production data is backed up by managed cloud services
  • Backup restoration is tested annually
  • Recovery objectives are documented and reviewed at least annually

Audit and Compliance

CompFly maintains a compliance program that includes independent third-party examinations and assessments of its security controls. Current attestations, certifications, and examination reports are listed on the Trust Page at trust.compfly.ai and are available to current and prospective customers under NDA on request.

Reporting a Security Issue

Email [email protected] with a description of the issue, where it was observed, how it can be reproduced, and a contact for follow-up.

CompFly does not operate a bug bounty program and does not invite or solicit security testing of its systems, infrastructure, or user accounts. Any testing beyond the good-faith terms below is unauthorized and may violate our Terms of Service and applicable law.

Good-faith reporting. CompFly will not pursue or support legal action against anyone whose research and reporting comply with all of the following:

  • Identifies a vulnerability through interaction with CompFly's own publicly accessible interfaces,
  • Does not access, modify, exfiltrate, retain, or disclose customer data beyond the minimum necessary to demonstrate the issue,
  • Does not degrade, disrupt, or impair the availability of CompFly services or the experience of other users,
  • Does not use social engineering, physical attacks, or attacks against CompFly personnel, and
  • Reports the issue to [email protected] promptly and does not publicly disclose it until CompFly has had a reasonable opportunity to remediate.

Conduct that complies with these terms is authorized within the meaning of the Computer Fraud and Abuse Act, the Digital Millennium Copyright Act, and analogous state laws, and CompFly waives any conflicting restriction in its Terms of Service for that limited purpose. This is a commitment by CompFly only; it does not bind, and cannot waive the rights of, any third party or government authority. If a claim is brought against a reporter who complied with these terms, CompFly will, on request, confirm in that proceeding that the activity was conducted consistent with this policy. CompFly reserves all rights with respect to activity outside these terms.

If the issue concerns a CompFly subprocessor, please report to the subprocessor directly and copy CompFly only if the issue may affect data shared with CompFly.

CompFly does not commit to a specific external acknowledgment or response timeline. We may follow up if additional information is needed or if there is a material update to share.

Reports are submitted under CompFly's Terms of Service. You grant CompFly a non-exclusive, royalty-free, perpetual, irrevocable license to use, reproduce, and act on the report for security purposes. Submission creates no partnership, agency, or employment relationship and entitles you to no compensation. CompFly reserves all rights at law and in equity.

Contact

[email protected]