Security at Compreo
Last updated: 30 May 2026
At Compreo Business Systems India Private Limited ("Compreo", "we", "us"), security is a foundational design principle, not a feature we bolt on afterwards. The Compreo platform — including our low-code ERP, the Customer Portal, Vendor Portal, Field-Sales Portal, and our mobile applications — handles operational, financial and personal data that organisations rely on every day. This page explains, in plain language, the technical and organisational measures we use to protect that data, and how to reach us if you believe you have found a vulnerability. It is written to give CXOs, IT leaders, data-protection officers and app-store reviewers a clear, honest picture of our security posture; for how we handle personal data more broadly, please also read our Privacy Policy.
How we protect your data
Infrastructure on Microsoft Azure
The Compreo platform is hosted on Microsoft Azure, one of the world's most widely audited cloud platforms. By building on Azure, we inherit Microsoft's investment in physically secured data centres, redundant power and networking, and a hardened cloud fabric that carries certifications such as ISO 27001, SOC 1/2/3 and others. We use Azure's native controls — including network security groups, private endpoints and managed identities — to restrict the attack surface around our services. We do not operate our own physical data centres, which lets us focus our security effort on the application layer where customer data lives.
Encryption in transit & at rest
All traffic between your browsers, mobile apps and our services is protected with TLS (HTTPS) using modern cipher suites, so data moving across the internet cannot be read or tampered with in transit. Data at rest — including databases, file storage and backups — is encrypted using strong, industry-standard algorithms (such as AES-256) managed through Azure key services. Encryption keys are managed and rotated within the Azure platform rather than stored alongside the data they protect. This means that even at the storage layer, your information is unreadable without the appropriate keys.
Access control & RBAC
Access to the platform is governed by Role-Based Access Control (RBAC), so each user sees only the functions and data their role permits. Authorisation in Compreo is enforced through a layered authentication model: a user's identity is mapped to security functions, user-level authorisations, and role privileges, and access is granted only when every layer agrees. This defence-in-depth approach means a single misconfiguration cannot silently widen a user's reach. Internally, employee and administrator access to production systems follows the principle of least privilege and is granted only on a documented, need-to-know basis.
Multi-tenant isolation
Compreo is a multi-tenant platform, and keeping one customer's data logically separated from another's is a core engineering commitment. Each tenant is isolated at the data layer, and every query, report and integration is scoped to the requesting tenant so that data from one organisation is never exposed to another. The same isolation boundary is enforced consistently across the Customer, Vendor and Field-Sales portals and the mobile apps. We test these boundaries as part of our development process to guard against cross-tenant data leakage.
Monitoring & logging
We maintain logging and monitoring across our application and infrastructure to detect unusual or unauthorised activity. Security-relevant events — such as authentication attempts, privilege changes and administrative actions — are recorded to support auditing and incident investigation. Azure-native monitoring and alerting help our team respond quickly to anomalies. In the event of a confirmed security incident affecting personal data, we follow defined procedures to assess, contain and remediate, and to notify affected customers and the relevant authorities as required by applicable law.
Backups & disaster recovery
Customer data is backed up on a regular schedule, and backups are encrypted and retained in line with our internal data-retention standards. Our disaster-recovery approach leverages Azure's regional resilience so that we can restore service and data following a significant failure. We periodically review our recovery objectives — our target Recovery Time Objective (RTO) and Recovery Point Objective (RPO) — to confirm they remain appropriate for the platform. Backups are subject to the same access controls and encryption as production data.
Vulnerability management
We take a proactive approach to identifying and remediating weaknesses in our software and dependencies. We track security updates for the frameworks and libraries we use, apply patches on a risk-prioritised basis, and incorporate security review into our development lifecycle. Significant changes are reviewed before release, and we remediate confirmed vulnerabilities according to their severity. We welcome reports from the security community through our responsible-disclosure process described below.
Compliance posture
We design our practices to align with the obligations placed on us under India's Digital Personal Data Protection Act, 2023 (DPDP Act) and, where it applies, the EU General Data Protection Regulation (GDPR). As a processor of customer data, we contract with our customers on the basis of clear data-protection commitments and rely on Azure's independently audited certifications for the underlying infrastructure. We continue to mature our compliance programme as our customer base and regulatory landscape evolve. For details of any current certifications or audit reports, please contact us at security@compreo.ai.
Responsible disclosure
We believe that working openly with security researchers makes the Compreo platform safer for everyone. If you discover a security vulnerability in any of our products or services, we ask that you report it to us privately so we can investigate and remediate before any details are made public.
Please send a detailed report — including the affected component, steps to reproduce, and any supporting evidence — to security@compreo.ai. We ask that you give us a reasonable period to address the issue and that you avoid accessing, modifying or deleting data belonging to other customers, degrading service availability, or otherwise causing harm during your research. We will acknowledge legitimate reports, keep you informed of our progress, and will not pursue or support legal action against researchers who act in good faith and in accordance with this policy. We are grateful to the researchers who help us protect our customers, and we are happy to recognise your contribution where you would like us to.
Data residency
Customer data processed through the Compreo platform is hosted in Microsoft Azure data centres in the region(s) we operate in for our customers; our default hosting region is [primary Azure region — e.g. Central India]. Where a customer requires data to remain within a particular jurisdiction, we will discuss the available Azure regions and any applicable terms as part of the contracting process. Cross-border transfers, where they occur, are carried out in accordance with applicable law, including the DPDP Act and, where relevant, the GDPR, using appropriate safeguards. If you have specific questions about where your organisation's data is stored or processed, please contact us at security@compreo.ai or our registered office at [registered office address].
Questions or concerns
For security questions, disclosure reports, or data-residency enquiries, contact our security team at security@compreo.ai. For broader questions about how we collect and use personal data, please see our Privacy Policy. You may also review our Cookie Policy or request erasure through our Data deletion page.
Compreo Business Systems India Private Limited
[registered office address], [city], India
Last updated: 30 May 2026