Security & trust
at Compass

Compass is designed for HIPAA-eligible workloads. Customers on the Insights tier can execute a Business Associate Agreement (BAA) before uploading PHI-adjacent data. Free tier accounts process de-identified data only.

Request a BAA →

We are currently undergoing a SOC 2 Type 1 audit with an independent auditor. Our target completion is Q3 2026. In the interim, we provide our security overview documentation and vendor questionnaire responses upon request.

Request security documentation →

• In transit: TLS 1.3 enforced across all connections. Older protocol versions rejected.
• At rest: AES-256 encryption for all stored data.
• Key management: AWS Key Management Service (KMS) with automatic key rotation.
• Database: Encrypted PostgreSQL on RDS with automated backups.

Compass is hosted entirely on Amazon Web Services, which offers the most comprehensive set of HIPAA-eligible cloud services. We use the following HIPAA-eligible AWS services:

Our infrastructure is deployed in AWS us-east-1 (primary) with cross-region backup to us-west-2.

We take security reports seriously. If you believe you've found a vulnerability in Compass, please disclose it responsibly:

• Email security@joincompass.ai with a description of the issue
• Include steps to reproduce and potential impact
• We will acknowledge receipt within 2 business days and aim to remediate within 30 days for critical issues

We ask that you do not publicly disclose issues until we've had a chance to address them. We do not currently offer a bug bounty program, but we deeply appreciate responsible disclosures.