Trust & compliance

Our own security posture.

We help our customers operate audit-grade platforms. The same discipline applies to the firm. This page is the public-facing summary of how CompTech Lab itself handles information security, customer data, and compliance — the source of truth your procurement and security functions will reference.

Certifications & attestations

Formal attestations the firm holds or is pursuing. Letters of certification, audit reports, and gap-assessment summaries are available under NDA on request.

Standard Scope Status Notes
ISO/IEC 27001 Information security management In progress Targeted certification for the firm's own information-security posture.
ISO/IEC 27701 Privacy information management Planned Privacy-management extension of ISO 27001.
SOC 2 Type I Trust services criteria — readiness Planned Initial point-in-time attestation.
SOC 2 Type II Trust services criteria — operational Planned Operating-effectiveness attestation over a defined period.
ISO/IEC 42001 AI management system Planned AI management certification for our AI-practice operating model.

Information-security posture

The firm operates an internal information-security management programme aligned to ISO 27001 controls. Key elements:

  • Identity. All personnel access flows through a federated identity provider with MFA enforced. SCIM lifecycle from the directory of record.
  • Endpoints. Managed laptops with full-disk encryption, EDR, automatic OS patching, and conditional-access policies.
  • Credentials. No customer credentials stored outside HashiCorp Vault or the customer's own credential-custody platform. Personnel access via short-lived dynamic credentials.
  • Code & artefacts. Source control on managed Git platforms with branch protection, mandatory review, signed commits, and SBOM generation in CI.
  • Logging & audit. Centralised logs from endpoints, IdP, code platform, and engineering tooling, with retention aligned to control frameworks.
  • Vulnerability management. Continuous scanning of firm assets with documented SLAs and risk-acceptance discipline.
  • Incident response. Documented IR plan, escalation paths, customer-notification thresholds, and breach-reporting timelines aligned to regulatory regimes.

Customer data handling

We process customer data under three explicit principles:

  • Minimisation. We collect and retain only what is necessary for the engagement, and we prefer access to your systems over copies of your data.
  • In-place by default. Where possible, customer data stays in the customer's environment and our engineers access it via federated identity, not by extraction.
  • Documented retention. Where data is held by us during an engagement, retention is documented in the engagement contract with deletion verified at engagement close.

Sub-processors

A current list of sub-processors that may process customer data during engagements is available under NDA. The list includes the cloud, identity, and engineering-tool platforms we operate the practice on. We notify customers in advance of material additions.

Data residency

We accommodate customer data-residency requirements (regional, national, or air-gapped) as part of engagement scoping. For regulated customers with strict sovereignty requirements, we operate inside the customer's environment with no customer data leaving the boundary.

Vulnerability disclosure

If you believe you have found a vulnerability in our website or in any service operated under our control, please contact security@comptech-lab.com. We will acknowledge receipt within two business days, share remediation timelines, and credit reporters with their consent.

Procurement & security review

For enterprise procurement and vendor-security reviews, we maintain a standard response pack covering controls, sub-processors, business-continuity, insurance, and contractual terms. To request access, contact trust@comptech-lab.com.

Contact