Security and Privacy

Data storage, access, and AI privacy

Your CalmCompliance data is stored in Neon DB in the UK/EU cloud region, encrypted at rest and in transit with TLS 1.2+, and backed up daily for 30 days. AI features use OpenAI via API and do not train on your data. CalmCompliance staff do not access your data without explicit permission.

Where data is stored

Customer data is held in Neon DB, a cloud-based database hosted in the UK/EU region. Daily backups are performed and retained for 30 days.

Data retention

CalmCompliance retains data according to its published Data Map Policy. User accounts are deleted after a defined period of inactivity. You can also export your data if you ever leave.

Who can access your data

Role-based permissions control what staff can view and change. You assign people as Managers, Members, or Admins for each module. Enterprise plans support single sign-on through Azure AD, Google, or SAML.

CalmCompliance staff do not access your data without explicit permission.

Sensitive personnel blocks can be protected with Record Access Views. When enabled, staff must click View Information to reveal the content, and every reveal is recorded in the audit log. See Control access to sensitive personnel record details and Viewing Audit History and Understanding Audit Events for details.

AI and your data

CalmCompliance uses OpenAI via API access. OpenAI does not train on your data. AI suggests category, severity, and title for issues and requests based on your site’s category descriptions and the current submission. A manager always reviews and confirms the final triaged values. See AI-Assisted Triage for the full workflow.

Security controls

  • Encryption: Data is encrypted at rest and in transit using TLS 1.2+.

  • Access controls: Role-based permissions restrict data access.

  • ISO 27001: Security controls align with ISO 27001 requirements.

  • Audit logging: All access and data changes are recorded for security monitoring.

Data processing

Processing Activity

Purpose

Data Recipients

Location

User authentication

Login and access control

CalmCompliance

UK/EU Cloud

Document storage

Managing compliance policies

CalmCompliance

UK/EU Cloud

Third-party providers and service levels

The Sub-Processors document lists every third-party provider that processes data on CalmCompliance’s behalf, their roles, the types of data they handle, and the measures taken to ensure they meet data protection and security standards. Uptime guarantees and support response times are defined in the published SLA.

For more detail

If you need security documentation for an audit or procurement, review the Legal Stuff page or contact your account manager.

Was this helpful?