Security
Every layer of the Compass: Engine™ platform is designed with security as a core requirement, not an afterthought. From infrastructure to identity, here is how we protect your data.
Our Approach
Security is embedded across the entire software development lifecycle. Every code change undergoes peer review before deployment. All infrastructure is defined as code and deployed through version-controlled pipelines, so there are no manual changes and a full audit trail of every modification.
We hold Cyber Essentials accreditation and are actively working towards ISO 27001 certification. All underlying cloud infrastructure is provided by Amazon Web Services in the eu-west-2 (London) region, which carries AWS's own ISO 27001, SOC 2, and PCI DSS certifications.
Security responsibility sits with David Blaney, Head of Engineering, who holds direct delegated authority for all security decisions across the platform.
Every code change is reviewed before it reaches production. No unreviewed code is deployed.
All cloud resources are defined in Terraform and deployed through automated pipelines, providing a complete audit trail.
All services stream logs to AWS CloudWatch. Distributed tracing via AWS X-Ray spans every request across ECS and Lambda.
Credentials are stored in AWS Secrets Manager and injected at runtime. They are never hardcoded or stored in source code.
How We Protect Your Data
From the physical data centre to the application layer, every tier of the stack is hardened, monitored, and audited.
All data is processed, stored, and transmitted exclusively within AWS eu-west-2 (London). No data leaves the UK or EEA at any point.
Data at rest is encrypted with AES-256 across Aurora PostgreSQL, Redshift, S3, and Secrets Manager. All data in transit is protected with TLS 1.2 or higher.
Auth0 handles all authentication with support for SSO via SAML 2.0 and Azure Active Directory. Every API request requires a validated JWT. MFA is enforced on all privileged accounts.
Services run in a private VPC with public and private subnet separation. Databases and internal services have no direct internet exposure. Security groups enforce least-privilege access between every tier.
Each organisation's data is isolated through application-enforced role-based access controls. Database queries are always scoped to the authenticated organisation. Cross-tenant access is not possible.
All services run as sealed container images from a private ECR registry. No SSH access or software installation is possible at runtime. Container images are scanned for CVEs on every push.
Compliance & Accreditation
We hold current accreditations and are on a defined path to further certification.
Current
SimAnalytica holds current Cyber Essentials accreditation, covering the five key controls for protecting against common cyber attacks. Certificate available on request.
AWS Infrastructure
All underlying infrastructure in AWS eu-west-2 is covered by AWS's own ISO/IEC 27001:2013 UKAS-accredited certification, encompassing compute, storage, networking, and managed services used by this platform.
In Progress
We are working towards our own ISO 27001 certification at the application and organisational level, with an anticipated completion within the next three years.
Data Protection
We maintain a Data Processing Agreement with AWS as sub-processor. Data is processed solely for agreed purposes. We support subject access requests, right to erasure, and maintain documented retention policies.
Resilience
We maintain a documented Disaster Recovery policy with defined RTO and RPO targets. DR testing is conducted every six months. AWS Backup runs daily with seven-day retention across all data stores.
Vulnerability Management
Infrastructure is reviewed for security patches quarterly. Serverless services are patched automatically by AWS. Critical vulnerabilities are addressed within 48 hours of disclosure.
Responsible AI
The Compass: Engine™ AI layer is built on the principle that AI augments human decision-making rather than replacing it. No autonomous decisions are made without human review.
All AI processing occurs exclusively within AWS eu-west-2 under contractual sub-processor data processing agreements. User data is never used to train models. AI behaviour is monitored and logged end-to-end via LangSmith observability tooling, and all model outputs are validated against known data schemas before being returned to users.
AI generates queries, summaries, and insights that are presented to human users. No autonomous decisions are taken without human review.
All AI processing occurs under sub-processor data processing agreements. Client data is not used to train or fine-tune any model.
Input validation and prompt guardrails are in place to prevent adversarial attacks and data poisoning. All model outputs are validated against known schemas before being returned.
All AI agent behaviour is traced and logged via LangSmith, providing a complete audit trail of every model invocation and output.
Questions?
If you have specific security, compliance, or data residency requirements, we are happy to discuss them directly. We work with public sector organisations and regulated industries, and can provide additional documentation on request.
Get in touchWe use cookies to analyse site usage and improve your experience. By clicking Accept you consent to our use of analytics cookies.