Security — Trust Centre — Compass IoT
Overview

Trust Centre

Security

The controls we operate to protect your data — across our infrastructure, our people, our access management, and our physical environments. Select a policy below to read the full detail.

Last updated May 2026 · Compass IoT Pty Ltd

Information Security Policy
Our overarching security commitment — the principles, controls, and governance that define how we protect information across the organisation.
View policy →
Access Control Policy
User provisioning, authentication requirements, and role-based access control (RBAC) — who can access what, and how access is granted, reviewed, and revoked.
View policy →
Acceptable Use Policy
Rules governing how employees and contractors use Compass IoT systems, devices, data, and network resources.
View policy →
Remote Work & BYOD Policy
Security requirements for working outside the office and using personal devices to access Compass IoT systems or data.
View policy →
Background Check Policy
Requirements for pre-employment background screening, including the checks conducted and how results are handled.
View policy →

Infrastructure

Cloud infrastructure and hosting

Google Cloud Platform

Compass IoT's platform is hosted on Google Cloud Platform (GCP). We do not operate our own physical servers or data centres. All infrastructure benefits from Google's enterprise-grade security controls, physical security programme, and ISO 27001, SOC 2, and SOC 3 certifications.

Data is stored in the region it originates from — Australian customer data is stored in Australian GCP regions, UK data in UK or EU-equivalent regions, and North American data in US regions. We do not replicate data across regions without explicit justification and appropriate safeguards.

  • All production infrastructure is managed as code and version-controlled.
  • Network segmentation separates production, staging, and development environments.
  • Tenants are logically isolated — no customer can access another customer's data.
  • Infrastructure changes go through a peer-reviewed deployment process before reaching production.
  • GCP's built-in DDoS protection and Web Application Firewall (WAF) are enabled across all public-facing endpoints.

Data protection

Encryption

In transit and at rest

All data transmitted to and from the Compass IoT platform is encrypted in transit using TLS 1.2 or higher. All data stored within our platform is encrypted at rest using AES-256, managed through Google Cloud's Key Management Service (KMS).

We do not transmit sensitive data over unencrypted channels. API endpoints enforce HTTPS and reject insecure connections. Internal service-to-service communication within our infrastructure is also encrypted.

  • TLS 1.2+ enforced on all external-facing endpoints; TLS 1.0 and 1.1 are disabled.
  • AES-256 encryption at rest for all stored data, including backups.
  • Encryption keys managed via Google Cloud KMS with access logging enabled.
  • Customer API keys and secrets are stored using a dedicated secrets management service, never in plaintext.

Access management

Access control and authentication

RBAC and MFA enforced

Access to Compass IoT systems follows the principle of least privilege — employees and contractors are granted only the access required to perform their role. Access is provisioned through a formal request and approval process and reviewed on a regular basis.

Multi-factor authentication (MFA) is mandatory for all internal systems and for all employees with access to production environments. We use role-based access control (RBAC) to enforce access boundaries. Full details are available in our Access Control Policy.

  • MFA required for all Compass IoT internal systems and cloud infrastructure access.
  • Role-based access control applied to the platform, infrastructure, and internal tooling.
  • Access is provisioned on a need-to-know basis and reviewed on a regular schedule.
  • Privileged access to production systems is restricted to a small number of authorised personnel and requires additional approval.
  • Access is revoked within one business day of employment termination.
  • All access events to sensitive systems are logged and retained for audit purposes.

Vulnerability management

Vulnerability management and penetration testing

Annual penetration testing

Compass IoT conducts regular penetration tests carried out by independent parties. Findings are triaged by severity and tracked through to remediation.

We maintain a responsible disclosure programme for external researchers who discover potential vulnerabilities in our platform.

  • Annual penetration test by an independent third-party firm.
  • Continuous vulnerability scanning of infrastructure and dependencies.
  • Software dependencies are monitored for known CVEs; patches are applied on a risk-based schedule.
  • Critical vulnerabilities are assessed and remediated within 48 hours of confirmed identification.
  • Penetration test executive summary available to customers on request (email-verified).

Responsible disclosure

To report a suspected vulnerability, email trust@compassiot.com with the subject line "Security Vulnerability." We will acknowledge all reports within one business day and keep you informed of our response.

Incident response

Incident detection and response

Documented process in place

Compass IoT maintains a documented incident response process covering detection, containment, eradication, recovery, and post-incident review.

In the event of a confirmed data breach affecting customer data, affected customers will be notified within 72 hours of us becoming aware, in accordance with applicable data protection law. Notifications will include the nature of the incident, data affected, and steps being taken.

  • A documented incident response runbook covers all severity levels from minor anomaly to critical breach.
  • Incident response roles and responsibilities are assigned and reviewed annually.
  • Post-incident reviews are conducted after any significant security event to identify root cause and prevent recurrence.
  • Customers are notified within 72 hours of a confirmed breach affecting their data.

People

Employee security

Training and background checks

Security awareness is embedded in how we onboard and operate as a team. All employees complete security training at onboarding and annually thereafter. Training covers phishing, social engineering, password hygiene, incident reporting, and data handling responsibilities.

  • Background checks conducted on all new employees prior to start date.
  • Security awareness training mandatory at onboarding and annually.
  • Acceptable Use Policy signed by all employees and contractors as a condition of engagement.
  • All employees operate under confidentiality obligations covering customer and company data.

Questions

Talk to the security team