Security Policy

SmartComply maintains a security program designed for a multi-tenant SaaS platform used by utilities, agencies, and regulated communities to manage compliance records and workflows.

The program is risk-based and evolves with the product, customer requirements, procurement obligations, and the maturity of the company.

SmartComply maintains SOC 2-aligned security controls and readiness evidence. A formal Security-only SOC 2 Type 1 audit is on the roadmap as the enterprise procurement motion matures.

Our initial planned audit scope is Security-only SOC 2 Type 1 for the production SaaS, customer compliance data, authentication, cloud infrastructure, source control, deployment pipeline, monitoring, and critical vendors.

Do not state that SmartComply is SOC 2 certified or SOC 2 compliant unless a current report has been issued and is available under NDA.

SmartComply uses tenant-aware access controls, role-aware authorization, protected authentication cookies, administrative access restrictions, and least-privilege operational access where practical.

Customers are responsible for configuring users, roles, external portals, API keys, webhooks, and integrations appropriately for their organization.

Administrative access to production systems is limited to authorized personnel with a business need and may be logged, reviewed, or revoked.

SmartComply is designed around workspace or tenant separation. Application logic and database access patterns are intended to keep each customer’s data scoped to its authorized tenant.

Public API access is tenant-scoped through the caller’s credentials. API keys should see only the tenant they were created for, and customers should use separate credentials for separate tenants or environments.

SmartComply uses encrypted transport for data in transit where supported by the protocol and provider.

Production data is stored using managed cloud infrastructure and database services that provide encryption at rest or equivalent storage-layer protections.

Customers should not send secrets, passwords, payment card numbers, or unrelated sensitive data through support chat, email, or free-text fields.

SmartComply uses logs, diagnostics, request identifiers, audit trails, and monitoring to troubleshoot issues, investigate suspicious activity, support compliance workflows, and maintain service reliability.

Product audit trails may record who performed an action, what changed, timestamps, IP address or session metadata, signature events, submission events, and workflow history.

Security and diagnostic logs are access-restricted and retained according to operational, legal, and customer requirements.

SmartComply uses source control, review practices, environment separation, deployment controls, dependency management, and testing appropriate for the stage and risk of the product.

Changes to production systems may be logged and deployed through controlled pipelines. Preview and development environments should not be used for production customer data unless expressly approved.

We monitor for vulnerabilities in application code, dependencies, cloud services, and critical providers using available tools and provider notices.

Risk is prioritized based on exploitability, affected systems, data sensitivity, customer impact, and availability of fixes or mitigations.

Security reports should be sent to security@smartcomply.app with enough detail to reproduce the issue. Please avoid accessing customer data, destructive testing, social engineering, spam, persistence, or service disruption.

SmartComply relies on managed hosting, database, and infrastructure providers for core availability and backup capabilities.

Recovery objectives may vary by plan, deployment, customer agreement, and feature. Enterprise customers should confirm any specific uptime, backup, disaster recovery, or SLA commitments in a written agreement.

We investigate suspected security events, work to contain confirmed issues, preserve relevant evidence, remediate root causes where practical, and notify affected customers when legally required or when notice is otherwise appropriate.

Customer cooperation may be required to investigate incidents involving customer-configured users, credentials, integrations, API keys, public portals, or imported data.

Customers should use strong authentication practices, limit administrator access, promptly remove former users, protect API keys, configure roles carefully, review public portal settings, monitor exports, and train users on appropriate data handling.

Customers are responsible for endpoint security, email security, connected systems, user devices, network access, and the accuracy of data imported or submitted into SmartComply.

Security questionnaires, procurement materials, vendor reviews, and enterprise security exhibits may be available under NDA or as part of an enterprise procurement process.

This public Security Policy is a summary and does not create a separate warranty, SLA, certification, or contractual control unless incorporated into a signed agreement.