1. Introduction and Scope

CompliRun, Inc. ("CompliRun," "we," "us," or "our") is incorporated in the State of Delaware and operates the CompliRun compliance monitoring platform accessible at complirun.com (the "Platform"). Our principal business address is 500 Boylston Street, Boston, MA 02116.

This Privacy Policy describes how CompliRun collects, uses, discloses, stores, and protects information about individuals who visit our website, sign up for our service, use the Platform, or communicate with us (collectively, "you" or "Users"). It also describes your rights regarding your personal data and how to exercise them.

By using the Platform or providing information to CompliRun, you acknowledge that you have read and understood this Privacy Policy. If you are using CompliRun on behalf of an organization, you represent that you have authority to bind that organization to this policy and that the organization's users are aware of how their data is handled.

This Privacy Policy is incorporated by reference into CompliRun's Terms of Service. Capitalized terms not defined here have the meanings set out in the Terms of Service.

2. Information We Collect

2.1 Account and Identity Information

When you create an account, we collect: your full name, work email address, company name, job title, and phone number (optional). This information is required to provision your account, contact you regarding your subscription, and verify your identity when you contact support.

If you connect a Single Sign-On (SSO) provider such as Google Workspace or an Okta SAML 2.0 integration, we receive your name, email address, and the profile attributes your SSO provider is configured to share. We do not receive your SSO credentials.

2.2 Billing and Payment Information

Payment processing is handled by Stripe, Inc. CompliRun does not store full credit card numbers or bank account details. We receive from Stripe a tokenized payment reference, the last four digits of your card, card brand, and billing address. Stripe's handling of payment data is governed by their own privacy policy and their PCI DSS compliance program.

2.3 Infrastructure and Compliance Data

The core function of CompliRun is to connect to your infrastructure and compliance-related systems and collect evidence for SOC 2 and ISO 27001 purposes. The specific data collected depends on which integrations you connect. Common categories include:

  • Identity and access data: IAM user lists, role assignments, group memberships, MFA enrollment status, and access log exports from AWS, Okta, Google Workspace, and similar systems. We collect this data to generate evidence for SOC 2 CC6.1–CC6.3 and ISO 27001 Annex A.8.1–A.8.5.
  • Infrastructure configuration data: Security group rules, VPC configurations, S3 bucket access policies, CloudTrail trail configurations, GuardDuty status, and similar infrastructure settings from AWS, GCP, and Azure. We collect this data to generate evidence for SOC 2 CC6.6–CC6.7 and ISO 27001 Annex A.8.9.
  • Audit logs and event records: CloudTrail management event logs, Okta system logs, GitHub audit log events, and similar audit trail data. We collect event-level records, not content of transactions. We do not read database contents, application-level user data, or production traffic payloads.
  • Vulnerability and security scan results: Findings from Snyk, AWS Inspector, Datadog, or similar security tools that you integrate. We store these findings mapped to the relevant compliance controls.
  • Endpoint management data: Device enrollment status, patch compliance status, and disk encryption status from Jamf or similar MDM integrations.

Infrastructure data is collected through read-only API access. CompliRun does not write to, modify, or delete data in your infrastructure systems.

2.4 Usage Data

We collect information about how you interact with the Platform: pages and features visited, actions taken (controls reviewed, evidence items accessed, tasks completed), session duration, browser type and version, operating system, and IP address. This data is used to improve the Platform, provide usage analytics to account administrators, and diagnose technical issues.

2.5 Communications Data

When you contact us by email, through the Platform's support feature, or via live chat, we collect the content of those communications and any attachments. We retain support communications for up to 3 years to assist with related future inquiries.

2.6 Cookies and Tracking Technologies

CompliRun uses cookies and similar tracking technologies on our website and within the Platform. See our Cookie Policy at complirun.com/legal/cookies.html for a complete description of cookies used, their purposes, and how to manage them.

3. How We Use Your Information

3.1 Service Delivery

We use the information we collect primarily to provide the CompliRun Platform: connecting to your integrations, collecting compliance evidence, generating gap reports and readiness dashboards, scheduling and tracking access reviews, maintaining your evidence room, and providing the auditor collaboration features.

3.2 Account Management and Communications

We use your account and contact information to: send service notifications (integration connection failures, evidence collection errors, gap alerts, access review deadlines), send billing communications (invoices, payment failures, subscription changes), respond to support requests, and send product updates and security notices. You may not opt out of transactional communications related to your account or security.

3.3 Product Improvement

We use aggregated, anonymized usage data to understand how the Platform is used, identify features that are working well or need improvement, and prioritize the product roadmap. Individual user behavior data is not shared externally for product improvement purposes.

3.4 Security and Fraud Prevention

We use IP addresses, device information, and authentication logs to detect and prevent unauthorized account access, investigate security incidents, and maintain the integrity of the Platform. We may retain security logs for up to 7 years to support incident investigation.

3.5 Legal Compliance

We may use and disclose your information as required to comply with applicable law, respond to lawful requests from government authorities, enforce our Terms of Service, and protect the rights and safety of CompliRun, our users, and third parties.

4. Legal Basis for Processing (EEA and UK Users)

For users located in the European Economic Area (EEA) or the United Kingdom, our legal basis for processing personal data is:

  • Contract performance: Processing necessary to provide the Platform under our Terms of Service (account data, infrastructure data collected to perform the service, billing data).
  • Legitimate interests: Processing for security, fraud prevention, product improvement, and direct marketing to existing customers, where our interests are balanced against your rights.
  • Legal obligation: Processing required by applicable law, tax regulations, or court orders.
  • Consent: Processing for optional cookies and marketing communications to non-customers. You may withdraw consent at any time without affecting the lawfulness of prior processing.

5. Data Sharing and Disclosure

5.1 Service Providers and Sub-Processors

CompliRun uses third-party service providers to operate the Platform. These sub-processors have access to personal data only to the extent necessary to perform their services. Our current sub-processors include:

  • Amazon Web Services (AWS): Cloud infrastructure hosting, including database storage and compute. Infrastructure data and evidence files are stored in AWS S3 with AES-256 encryption. AWS data center locations are in the United States.
  • Stripe, Inc.: Payment processing. Stripe processes payment card data on our behalf under PCI DSS compliance.
  • Intercom, Inc.: Customer support and in-product messaging. Account contact information and support conversation history are stored in Intercom.
  • SendGrid (Twilio, Inc.): Transactional email delivery. Email addresses and message content for service notifications are processed by SendGrid.
  • Datadog, Inc.: Application performance monitoring and logging. Operational logs including IP addresses and session identifiers are processed by Datadog.

We do not sell your personal data to third parties. We do not share personal data with advertising networks for targeted advertising purposes.

5.2 Auditor Access

When you use CompliRun's Evidence Room sharing feature to invite an external auditor to review your evidence, that auditor will have read-only access to the evidence items and controls documentation in your Evidence Room. You are responsible for any data sharing arrangements with your auditors and for ensuring that auditors are subject to appropriate confidentiality obligations.

5.3 Business Transfers

If CompliRun is involved in a merger, acquisition, sale of assets, or bankruptcy, personal data may be transferred as part of that transaction. We will notify affected users through the Platform or by email before personal data is transferred to a different privacy policy.

5.4 Legal Requirements

We may disclose personal data when required by law, court order, or valid governmental request. Where permitted, we will attempt to notify you before complying with such requests.

6. Data Security

CompliRun maintains technical and organizational measures designed to protect personal data against unauthorized access, alteration, disclosure, or destruction. Key security measures include:

  • All data stored in AWS S3 uses AES-256 encryption at rest in per-tenant isolated buckets.
  • All data transmitted between your browser, your infrastructure integrations, and CompliRun uses TLS 1.3.
  • Infrastructure credentials (API keys, OAuth tokens) are stored encrypted using AES-256 and are not accessible in plaintext by CompliRun employees.
  • Access to customer data within CompliRun's systems is restricted to engineers who require access for operational support, protected by MFA and logged via CloudTrail.
  • CompliRun maintains a SOC 2 Type II certification for the Platform itself. A copy of the current report is available to customers under NDA upon request.

No security measures are 100% effective. If you discover a potential security vulnerability affecting CompliRun, please report it to contact@complirun.com.

7. Data Retention

We retain data for the following periods:

  • Account and contact data: Retained for the duration of your subscription plus 90 days. After account termination, account data is permanently deleted except as required for legal compliance.
  • Infrastructure evidence and compliance data: Retained for the period specified in your subscription plan: 3 years for Starter, 7 years for Growth. Enterprise plans include configurable retention periods. Upon account termination, evidence data is deleted within 90 days.
  • Billing records: Retained for 7 years as required for tax and financial compliance.
  • Security logs: Retained for up to 7 years for security incident investigation purposes.
  • Support communications: Retained for 3 years.
  • Usage data (analytics): Retained in aggregated, anonymized form indefinitely. Individual session records are retained for 24 months.

At the end of retention periods, data is permanently deleted or anonymized. If you request deletion of your data before the standard retention period expires, we will honor that request except for data retained for legal compliance purposes.

8. International Data Transfers

CompliRun processes data in the United States. If you are located in the EEA, UK, or Switzerland, your personal data will be transferred to the United States for processing. We rely on the following transfer mechanisms:

  • For transfers from the EEA: Standard Contractual Clauses (SCCs) approved by the European Commission.
  • For transfers from the UK: International Data Transfer Agreements (IDTAs) or addenda to SCCs as applicable.

You may request a copy of the applicable transfer mechanism documents by contacting us at contact@complirun.com.

9. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

Rights Under GDPR (EEA and UK Users)

  • Right of access: You may request a copy of the personal data we hold about you.
  • Right to rectification: You may request correction of inaccurate personal data.
  • Right to erasure: You may request deletion of your personal data, subject to legal retention requirements.
  • Right to restriction: You may request that we restrict processing of your data in certain circumstances.
  • Right to portability: You may request your personal data in a structured, commonly used, machine-readable format.
  • Right to object: You may object to processing based on legitimate interests or for direct marketing purposes.
  • Right to withdraw consent: Where processing is based on consent, you may withdraw consent at any time.

EEA users have the right to lodge a complaint with their local supervisory authority. A list of EEA supervisory authorities is available at edpb.europa.eu.

Rights Under CCPA (California Users)

California residents have rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information is collected, the right to delete personal information, the right to opt out of the sale of personal information (CompliRun does not sell personal information), and the right to non-discrimination for exercising CCPA rights.

Exercising Your Rights

To exercise any of these rights, contact us at contact@complirun.com with your request. We will respond within 30 days for most requests. Complex requests may require up to 90 days; we will notify you within 30 days if an extension is required. We may need to verify your identity before processing your request.

10. Cookies

We use cookies and similar technologies on the CompliRun website and Platform. For a detailed description of each cookie type, its purpose, duration, and how to manage your preferences, see our Cookie Policy at complirun.com/legal/cookies.html.

11. Children's Privacy

CompliRun is designed for professional business use and is not directed at individuals under 18 years of age. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, contact us at contact@complirun.com and we will delete it promptly.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes — such as changes to how we use your data, changes to data sharing practices, or changes to your rights — we will notify you by email or through a prominent notice in the Platform at least 30 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.

Continued use of the Platform after the effective date of a revised Privacy Policy constitutes acceptance of the updated terms.

13. Contact Information

For privacy-related questions, requests, or complaints, contact CompliRun's data protection contact at:

CompliRun, Inc.
Attn: Privacy
500 Boylston Street
Boston, MA 02116
United States

Email: contact@complirun.com
Phone: +1 (617) 384-5029