Security

Security is not an afterthought at Komprai — it is built into every layer of our architecture, development process, and operations. We follow a defense-in-depth strategy that combines multiple layers of technical controls, organizational policies, and continuous monitoring.

Our security team reviews all infrastructure changes, conducts regular threat modeling sessions, and maintains an internal security roadmap that is reviewed quarterly. We believe that transparency and proactive communication are essential components of a trustworthy platform.

Komprai runs on enterprise-grade cloud infrastructure deployed across multiple availability zones, ensuring high availability and resilience against hardware failures or regional outages. All infrastructure is provisioned using infrastructure-as-code, enabling consistent, auditable deployments.

Our network is segmented using private VPCs with strict firewall rules. All internal services communicate over encrypted channels. Public-facing endpoints are protected by a Web Application Firewall (WAF) and DDoS mitigation layers.

We maintain immutable, versioned infrastructure logs and ship all logs to a centralized SIEM for real-time analysis and long-term retention. Automated anomaly detection alerts the on-call team to suspicious patterns within seconds.

All data transmitted between your clients and our servers is encrypted using TLS 1.3 with strong cipher suites. We enforce HSTS and have an A+ rating on SSL Labs. Certificate transparency monitoring alerts us to any unauthorized certificate issuance.

Data at rest is encrypted using AES-256. Encryption keys are managed by a dedicated key management service with automatic rotation policies. Sensitive fields such as credentials and payment data receive additional application-level encryption.

We operate on a zero-trust principle: every access request is authenticated and authorized regardless of where it originates. Internal services use mutual TLS for service-to-service communication. Human access to production systems requires MFA and is logged.

Role-based access control (RBAC) ensures that employees have access only to the systems and data necessary for their role. Access reviews are conducted quarterly, and access is revoked immediately upon employee offboarding.

All privileged access sessions are recorded and subject to automatic termination after periods of inactivity. Our security team reviews privileged access logs weekly.

We maintain a documented incident response plan that is tested through tabletop exercises at least twice a year. Our on-call rotation ensures that a qualified engineer is available 24/7 to respond to security incidents.

In the event of a data breach, we will notify affected customers within 72 hours as required by GDPR, and within 2 business days for all other customers. Notifications will include a description of the incident, data affected, and steps we have taken or are taking.

Komprai undergoes annual third-party security audits and penetration tests conducted by accredited firms. We maintain SOC 2 Type II certification, demonstrating our ongoing commitment to security, availability, and confidentiality.

We are compliant with GDPR, LGPD (Brazil), and ISO 27001. Our compliance program is reviewed continuously and updated as regulations evolve. Customers may request copies of our audit reports and compliance certifications under NDA.

We operate a responsible disclosure program. If you discover a potential security vulnerability in Komprai, please report it to security@komprai.com. We ask that you give us a reasonable amount of time to respond and remediate before any public disclosure.

We commit to acknowledging receipt of your report within 24 hours, providing a timeline for remediation within 5 business days, and notifying you when the vulnerability has been resolved. We will not take legal action against security researchers who follow this policy in good faith.

For security-related inquiries, vulnerability reports, or compliance documentation requests, please contact our security team directly at security@komprai.com. For urgent security incidents, include "URGENT" in the subject line and we will respond within 2 hours.