ComplimetricComplimetric
PlatformComplianceSolutionsPricingBlogGetting Started
ComplimetricComplimetric

The leading Infrastructure-as-Code governance platform for engineering teams that value security and compliance.

Product

  • Platform
  • Compliance
  • Solutions
  • Pricing
  • Changelog

Company

  • About
  • Blog
  • Getting Started
  • Status

Legal

  • Legal Notice
  • Privacy Policy
  • Cookie Policy
  • Terms of Service
  • Terms of Sale
  • Open Source
  • Security
  • DPA

© 2026 0x0800 SRL. All rights reserved.

All systems operational
Security

Security at Complimetric

We protect your infrastructure data with the same rigour we expect from your IaC. Here is exactly how.

Uptime SLA — status.complimetric.comReport a vulnerability

Encryption

  • Data in transit

    All traffic between your browser, our API, and internal services is encrypted with TLS 1.3. Older protocol versions are disabled.

  • Data at rest

    Sensitive data (cloud credentials, secrets) is encrypted at rest using AES-256-GCM via envelope encryption. Encryption keys are stored separately from the data they protect.

  • Cloud credentials

    AWS, Azure, and GCP credentials you connect for drift detection are encrypted individually and never logged or exposed in plaintext.

Access Control

  • Authentication

    Users authenticate via GitHub OAuth or email/password. JSON Web Tokens (JWT) are issued as short-lived HTTP-only cookies.

  • Role-based access (RBAC)

    Organizations enforce fine-grained permissions. Members, managers, and owners each have distinct access boundaries enforced server-side.

  • Multi-factor authentication (MFA)

    All admin-panel operations require MFA via WebAuthn (passkeys). Session timeout is enforced after 15 minutes of inactivity.

  • CSRF protection

    Every state-changing request requires a CSRF token validated server-side. The double-submit cookie pattern is enforced on the API.

Infrastructure

  • Kubernetes hardening

    All workloads run inside Kubernetes (k3s / EKS) with strict NetworkPolicies that limit pod-to-pod communication to declared routes only.

  • Non-root containers

    Every container runs as a non-root user with a read-only root filesystem. Privilege escalation is disabled at the pod security level.

  • Secret management

    Secrets are injected at runtime via Kubernetes Secrets (and Helm-managed sealed secrets). No credentials are baked into container images.

  • Network isolation

    Internal services (Resource Engine, Rules Engine, Drift Collector) are never directly reachable from the internet. All traffic is proxied through the authenticated Node.js API.

Compliance & Auditing

  • Immutable audit trail

    Every privileged action (scan triggers, credential changes, member management) is recorded in an append-only audit log with hash-chain integrity verification.

  • SOC 2 Type II roadmap

    We are actively working toward SOC 2 Type II certification. Controls for availability, confidentiality, and security are being documented and tested.

  • GDPR & data residency

    Infrastructure is hosted in the EU. Data subjects can request export or deletion. See our Privacy Policy and DPA for details.

  • Data retention

    Scan results are retained for the duration of your subscription. Cloud credentials are deleted immediately upon disconnection or account closure.

Vulnerability Management

  • Dependency scanning

    All npm, Go, and Python dependencies are scanned with automated tools on every CI build. Critical CVEs trigger immediate patching.

  • Built-in security rules

    Complimetric ships with 2,000+ built-in IaC rules covering CIS Benchmarks, NIST 800-53, PCI-DSS, SOC 2, and OWASP. Rules are updated continuously.

  • Responsible disclosure

    We welcome security research. Report vulnerabilities to security@complimetric.com. We commit to acknowledging reports within 48 hours.

Questions about security?

Our security team is available to answer questions from enterprise customers, security researchers, and partners.

security@complimetric.comView our DPA