Security & governance

Enterprise-grade security at every layer

ComplAI is built with security as a foundation — not an afterthought. Multi-tenant isolation, granular permissions, immutable audit logs, and encrypted document storage protect your compliance data end to end.

Role-based access
Audit logging
Encrypted storage
Tenant isolation
Granular permissions
Access control model
Level 1 · Platform
ComplAI team — full system access, organization management, platform configuration
Level 2 · Organization
Super admin, org admin — manage companies, users, roles, and org-wide settings
Level 3 · Company
Company admin, CS, compliance officer — company-scoped data, registers, workflows
01

Role-based access control

Three-tier access hierarchy that mirrors how compliance organizations actually operate. Platform administrators manage the system, organization admins manage their firm, and company-level users work within their assigned entities.

  • 3-tier model — Platform, organization, and company layers
  • Admin bypass — Level 1-2 admins never blocked by permission checks
  • Middleware enforcement — Every route protected at the API layer
  • Cross-tier access — Org users get elevated permissions on company data
Activity timeline
Annual return (MGT-7) approved
Priya Sharma approved step 4 of 4 for Reliance Industries
2 minutes ago · 10:42 AM
Director KYC form updated
Rajesh Kumar updated DIR-3 KYC fields for TCS Limited
15 minutes ago · 10:29 AM
Permission role modified
Admin changed Company Secretary role — added registers:export permission
1 hour ago · 09:44 AM
Failed login attempt
Unknown IP 203.0.113.42 attempted login for user@example.com
3 hours ago · 07:15 AM
02

Audit logs and activity tracking

Every action in ComplAI generates an immutable audit record with enriched, human-readable descriptions. Know exactly who changed what, when, and why — across every module, every company, every user.

  • Immutable records — Audit entries cannot be modified or deleted
  • Enriched descriptions — Human-readable context for every action
  • Step-level tracking — Wizard and workflow progress logged per step
  • Compliance-ready — Auditor-friendly export of complete activity history
Document security
Encrypted upload
TLS 1.3 in transit, AES-256 at rest
Version control
Full history, diff tracking, rollback
Access-controlled
Permission-gated viewing and downloads
Audit-linked
Every view, download, edit logged
03

Secure document storage

Board resolutions, statutory forms, and certificates are stored with enterprise-grade encryption and access controls. Every document is versioned, every access is logged, and every download requires the right permissions.

  • Encryption — TLS 1.3 in transit, AES-256 encryption at rest
  • Version history — Complete revision chain with rollback capability
  • Access gating — Permission-based viewing and download controls
  • Audit linkage — Documents linked to compliance records they support
Data isolation
Org A — ABC Associates
12 companies
Isolated
Org B — XYZ Partners
8 companies
Isolated
Row-level security (RLS) policies enforce isolation at the database layer
04

Multi-tenant architecture

Every organization's data is completely isolated at the database level using PostgreSQL Row-Level Security policies. Organization A can never see Organization B's data — enforced by the database engine itself, not just application logic.

  • Database-level isolation — RLS policies on every table
  • Org-scoped queries — Every query automatically filtered by org_id
  • Context injection — App context set per request via session variables
  • Superadmin bypass — Platform admins access all orgs for support
Permission matrix
Module Read Create Update Delete Export
Registers
Workflows
Users
Documents
Showing: Company Secretary role · 31 org + 54 company permissions available
05

Controlled user permissions

85 configurable permissions organized across organization and company layers, following a resource:action naming pattern. Every new feature ships with permissions auto-assigned to admin roles and enforced in both backend middleware and frontend UI.

  • 85 permissions — 31 organization + 54 company layer
  • resource:action pattern — registers:read, workflows:create, users:delete
  • Own/all scoping — read_own vs read_all for data visibility
  • Auto-assignment — New permissions auto-mapped to admin roles

Security you can demonstrate to auditors

Book a walkthrough to see how ComplAI's security architecture protects your compliance data with audit-ready evidence.

Book a demo Sign in to platform

No credit card required · Free consultation · Custom pricing