Security Statement

Effective10 June 2026
Versionv1.0

This statement sets out the security measures we use to protect Compass and the data you give it. It is the user-facing summary of the technical and organisational measures listed in Schedule 2 of our Data Processing Agreement.

1. Access and Authentication

  • Multi-factor authentication is required on all administrative accounts.
  • Role-based access to production systems. Production database access is restricted to the smallest possible set of administrators.
  • No standing third-party access to production systems. Vendor access is granted just-in-time and revoked at the end of the support window.

2. Encryption

  • All connections between your browser and Compass use TLS 1.2 or higher.
  • Data at rest in the Compass database is encrypted using AES-256.
  • Backups are encrypted to the same standard.

3. Database Isolation

Compass runs on Supabase with Postgres. Tenant isolation is enforced through Row Level Security policies. No cross-tenant query is permitted from the application layer.

4. Hosting

  • The product runs on Vercel with Deployment Protection enabled and least-privilege environment variables.
  • The database runs on Supabase in regions located in the United Kingdom and the European Union.

5. Backups and Recovery

  • Automated daily backups, retained for 30 days.
  • Point-in-time recovery enabled on the production database.
  • A disaster-recovery test is run at least annually.

6. Logging and Monitoring

  • Application logs are retained for 90 days.
  • Authentication logs are retained for 12 months.
  • Anomaly alerting fires on administrative actions and on failed login patterns.

7. Sub-Processors

We use a small set of named sub-processors, each bound by a written agreement. The current list is at https://compassbystarlight.com/legal/sub-processors. We review their security posture before engagement and annually thereafter.

8. Incident Response

We have a documented incident response process. In the event of a personal data breach, we notify affected users and the Information Commissioner's Office within 72 hours of becoming aware of the incident.

9. Vulnerability Reporting

We welcome reports of suspected vulnerabilities. To report a security issue:

  • email security@starlighttech.ai;
  • include a clear description of the issue, steps to reproduce, and any proof-of-concept material; and
  • please do not test on production data belonging to other users.

We acknowledge reports within 2 working days and aim to remediate critical issues within 14 working days.

We do not currently offer a paid bug bounty. We do thank reporters publicly on this page where they give consent.

10. What You Can Do

Some security depends on you. We recommend:

  • use a unique, strong password for your Compass account;
  • turn on multi-factor authentication once we offer it as a user-facing option (in our roadmap for the first months post-launch);
  • do not share your password;
  • sign out of shared devices; and
  • email security@starlighttech.ai if you think your account has been accessed without permission.

11. Audits and Certifications

At launch, Compass does not hold a formal SOC 2 or ISO 27001 certification. Our sub-processors (Anthropic, Vercel, Supabase, Stripe) hold their own certifications, which underpin parts of our environment. We will assess whether to pursue our own certification as the company scales.

12. Contact

Email security@starlighttech.ai for security reports and questions.

Change Log

  • v1.0, 10 June 2026. First publication.

Starlight Tech Limited, company number 17175089, registered office 71-75 Shelton Street, Covent Garden, London WC2H 9JQ, registered in England and Wales.