Security
Security is the first feature. Not the footer.
Compass exists because real-estate vendors run multiple companies and cannot tolerate cross-company data drift. Tenancy, role-based access, residency, and audit are the platform, not a compliance page bolted on at the end.
Tenancy model
Every row knows the vendor it belongs to.
Multi-tenancy is enforced at the database, not at the query convention. Every record carries the tenant identifier. Every query is scoped by the request's tenant context. Cross- vendor access is impossible by design.
Below the vendor: companies, teams, projects. Permissions inherit. Exceptions are explicit, audited, and reversible from one screen.
At the row
Every row carries the tenant
There is no shared table across vendors. Cross-vendor joins are impossible by construction.
At the query
Tenant context is non-optional
Every read is scoped by the current request's tenant. There is no fallback path for missing context.
At the connection
Per-tenant credentials available
Enterprise customers can run on dedicated database credentials per tenant, with separate keys and KMS isolation.
At the backup
Backups inherit the model
Daily encrypted backups, region-pinned, restorable to a point in time, scoped per tenant.
Access & permissions
Roles compose. Scopes inherit. Every change is logged.
Compass ships with a library of sensible roles: vendor admin, company admin, team lead, sales rep, finance, read-only auditor. They are not opaque. Every role lists its read and write rules in plain language.
Need more? Custom roles compose new rules from the same primitives. Field-level permissions let you allow a role to see the lead name but not the contact number, or the unit but not the price band. Every permission change is logged, with the actor, the target, and the diff.
| Action | Vendor | Company | Team lead | Rep |
|---|---|---|---|---|
| Create company | edit | |||
| Create team | edit | edit | ||
| Create project | edit | edit | ||
| Author routing rule | edit | edit | ||
| Read other companies | edit | |||
| Read own pipeline | edit | edit | edit | edit |
| Edit lead price | edit | edit | edit | |
| Approve discount | edit | edit | ||
| Export leads | edit | edit | read | |
| View audit log | edit | read |
Data residency
Your data lives where your business does.
Vendors pick a region at signup. Daily operations, backups, and the intelligence engine all stay inside that region. For Enterprise customers, we deploy into your own cloud account, with key management, audit log export, and a retention policy shaped to your regulator.
India
Mumbai
Default for Indian vendors. DPDP-compliant. Daily backups, region-pinned.
Singapore
ap-southeast-1
Default for SEA vendors. Replicated to a second AZ in region.
UAE
Dubai
Available on request for vendors operating in the Gulf. Compliance docs on request.
Your cloud
Enterprise BYOC
Compass deploys into your AWS, GCP, or Azure account. Your keys, your audit log destination.
Compliance posture
Where we are, plainly.
We publish the live state of our security program, instead of claiming a certification we have not finished. Status here is updated monthly. Auditor letters are available on request, under NDA.
- GDPR / DPDPCompliant·Operational controls live, DPIA available
- Encryption in transitAlways-on·TLS 1.3, HSTS preload
- Encryption at restAlways-on·AES-256, KMS-backed
- SSO (SAML, OIDC)Enterprise·Bring your IdP, mapped to Compass roles
- SCIM provisioningEnterprise·Automated user lifecycle from your IdP
- SOC 2 Type IIIn progress·Audit window opens Q3 2026
- ISO 27001Planned·Following SOC 2 close-out, 2027
- Audit log exportAvailable·Stream to your SIEM, scheduled or live
Audit & monitoring
Everything that happened, with the person who made it happen.
Compass writes an audit entry for every read on sensitive fields, every write, every permission change, every export, and every API call. The log is queryable, exportable, and retained for as long as your plan and your regulator require.
Field-level reads
Sensitive reads are recorded.
Contact numbers, contract values, and any flagged field are logged on read. Mass-read patterns trigger an alert.
Writes & changes
Every write is a diff.
Updates carry before/after values, the actor, and the source (UI, API, automation, system).
Permissions
Role and scope changes
Every permission grant, revoke, and role edit is logged with a justification field.
Exports
Who exported what, when
CSV and Excel exports are watermarked and logged. Vendor admins can disable exports per role.
API
Every key and every call
API keys are scoped, rate-limited, and revocable. Every call is logged with the key fingerprint.
Logins
Sessions and devices
Login history per user, with device, IP, and any anomalous signals flagged for review.
Incident response
When something goes wrong, you hear from us within an hour.
Compass operates a 24x7 on-call rotation. Severity 1 incidents trigger immediate notification to the vendor admin, with a running status page and post-incident review delivered within five business days.
- T+0
Detected
Page fires to the on-call engineer.
- T+15m
Triaged
Severity assigned, vendor admin paged for Sev 1.
- T+1h
Customer comms
First customer-facing update, with the scope of impact.
- Until resolved
Hourly updates
Status page updates at least every 60 minutes.
- T+5d
Post-incident review
Written PIR with timeline, root cause, and follow-up actions.
Vulnerability disclosure
Found something? We want to hear about it.
Security researchers, customers, and partners are welcome to report vulnerabilities directly. We acknowledge within one business day, work to a fix collaboratively, and credit reporters in the release notes when they want it.
Out of scope: denial of service, social engineering of our team, anything that requires physical access to a customer device.
security@oncompass.techKeep reading
Adjacent reads if security brought you here.
- Lead intelligenceHow the engine handles personal data.Behavioral data stays in your tenant. No cross-vendor training set. Retention configurable per company.Read
- Automation engineRouting without leaking across companies.Cross-company rules are vendor-admin only. Company admins cannot author rules that move data across.Read
- PricingPlans, residency, and what is on Pro.Custom roles, field-level permissions, audit logs, and advanced security controls ship on Pro.Read
Next
Show us your estate. We will show you ours.
A 30-minute working call. Bring a real brand, a real project, and a real role. We will run the workspace against your actual hierarchy.
Reply within 24 hours, IST business days. Calls scheduled in your timezone.