Data storage, access, and AI privacy
Your CalmCompliance data is stored in Neon DB in the UK/EU cloud region, encrypted at rest and in transit with TLS 1.2+, and backed up daily for 30 days. AI features use OpenAI via API and do not train on your data. CalmCompliance staff do not access your data without explicit permission.
Where data is stored
Customer data is held in Neon DB, a cloud-based database hosted in the UK/EU region. Daily backups are performed and retained for 30 days.
Data retention
CalmCompliance retains data according to its published Data Map Policy. User accounts are deleted after a defined period of inactivity. You can also export your data if you ever leave.
Who can access your data
Role-based permissions control what staff can view and change. You assign people as Managers, Members, or Admins for each module. Enterprise plans support single sign-on through Azure AD, Google, or SAML.
CalmCompliance staff do not access your data without explicit permission.
Sensitive personnel blocks can be protected with Record Access Views. When enabled, staff must click View Information to reveal the content, and every reveal is recorded in the audit log. See Control access to sensitive personnel record details and Viewing Audit History and Understanding Audit Events for details.
AI and your data
CalmCompliance uses OpenAI via API access. OpenAI does not train on your data. AI suggests category, severity, and title for issues and requests based on your site’s category descriptions and the current submission. A manager always reviews and confirms the final triaged values. See AI-Assisted Triage for the full workflow.
Security controls
Encryption: Data is encrypted at rest and in transit using TLS 1.2+.
Access controls: Role-based permissions restrict data access.
ISO 27001: Security controls align with ISO 27001 requirements.
Audit logging: All access and data changes are recorded for security monitoring.
Data processing
Processing Activity | Purpose | Data Recipients | Location |
|---|---|---|---|
User authentication | Login and access control | CalmCompliance | UK/EU Cloud |
Document storage | Managing compliance policies | CalmCompliance | UK/EU Cloud |
Third-party providers and service levels
The Sub-Processors document lists every third-party provider that processes data on CalmCompliance’s behalf, their roles, the types of data they handle, and the measures taken to ensure they meet data protection and security standards. Uptime guarantees and support response times are defined in the published SLA.
For more detail
If you need security documentation for an audit or procurement, review the Legal Stuff page or contact your account manager.