How we secure your data

At mycomplaints.ai, we take security extremely seriously. Whether you represent a government department, a large enterprise, or a smaller organisation handling sensitive information, our platform is engineered to adhere to the highest standards of information security, data protection, and operational resilience.

Security is fundamentally embedded into every layer of our system – from core infrastructure and stringent access control to continuous monitoring, comprehensive encryption, and regulatory compliance. We consistently review, enhance, and audit our security practices to uphold the complete trust our customers place in our service.

Certifications and assurance

We are currently in the final stages of achieving the following internationally recognised security certifications, providing independent assurance of our controls:

• ISO/IEC 27001: The globally accepted standard for information security management systems, demonstrating our commitment to a systematic approach to managing sensitive company information.
• SOC 2 Type II: An independent audit verifying that our controls related to security, availability, and confidentiality are operating effectively over a period of time.
• HIPAA: Our platform aligns with key HIPAA requirements, essential for our customers in the health sector who handle protected health information (PHI).
• PCI DSS (Payment Card Industry Data Security Standard): We adhere to the PCI DSS framework to ensure the secure processing, storage, and transmission of payment card information. This is critical for customers handling payments and financial data, offering assurance that we meet stringent security standards for the protection of cardholder data.

Adhering to these rigorous frameworks ensures our security practices remain robust, transparent, and fully aligned with global expectations across diverse industries.

Secure cloud infrastructure on AWS

Our infrastructure is hosted within Amazon Web Services (AWS), leveraging a secure, well-architected design prioritising data privacy, scalability, and resilience.

Key infrastructure security features:

• Network isolation: Our core services operate within a private Virtual Private Cloud (VPC), completely segregated from the public internet using private subnets.
• Gateway endpoints: Communication with essential AWS services like S3 and DynamoDB is routed through VPC Gateway Endpoints, ensuring data never traverses the public internet.
• Public access control: Frontend assets are served via Amazon CloudFront, employing origin access controls to strictly limit direct public access to underlying S3 buckets.
• AWS WAF protection: Our application edge is protected by a Web Application Firewall (WAF), proactively detecting and blocking common web threats and malicious attacks.

Identity and access control

Access to the mycomplaints.ai platform is tightly controlled:

• SSO only access: Access is exclusively managed through Single Sign-On (SSO), integrated with your organisation’s existing identity provider. We do not support local password authentication.
• Role-based permissions: Access to sensitive data and platform services is strictly limited using the principle of least privilege. This is managed through finely-grained AWS Identity and Access Management (IAM) roles.
• Secure secrets management: Sensitive credentials, such as cryptographic keys and database passwords, are securely stored and managed within AWS Secrets Manager, accessible only by authorised internal components.

Comprehensive encryption and data security

We employ strong encryption mechanisms for all data, both when it's being transferred and when it's stored:

• Encryption in transit: All communications – whether between users, internal services, or external systems – are encrypted using industry-standard TLS 1.2 or higher.
• Encryption at rest:
  • All data stored within our platform is encrypted using AWS Key Management Service (KMS).
  • This includes data in Amazon S3, DynamoDB, Redshift Serverless, Secrets Manager, and container images in Amazon ECR.
• No public access to data stores: All databases and storage systems are configured as private resources, accessible only via internal endpoints and strictly controlled IAM policies.

Continuous monitoring and threat detection

We operate with a focus on continuous visibility and proactive threat detection:

• Audit logging with AWS CloudTrail: We meticulously record all management and API activity across our AWS environment. Logs are stored securely in encrypted S3 buckets.
• Network monitoring: VPC Flow Logs provide detailed insights into network traffic patterns, crucial for incident response and ongoing security reviews.
• Threat detection with AWS GuardDuty: This service continuously analyses activity for malicious behaviour, potential misconfigurations, and unauthorised access attempts.
• Centralised logging and alerting: All system logs are consolidated in CloudWatch Logs and integrated with automated alerting systems for rapid detection and response to potential security incidents.

Built for resilience and scale

Our infrastructure is designed from the ground up to be highly resilient, fault-tolerant, and available:

• Multi-AZ deployment: Core platform services are deployed across multiple AWS Availability Zones, providing robust protection against localised failures.
• Autoscaling capabilities: The mycomplaints.ai platform automatically scales its resources to efficiently handle fluctuations in demand without compromising performance or availability.
• Redundancy and failover: All critical services incorporate built-in redundancy and robust disaster recovery mechanisms to ensure continuity.

Handling of sensitive and regulated data

If your organisation handles sensitive complaints data, health records, or other types of regulated information, mycomplaints.ai provides the necessary controls:

• Encryption for PHI and personal data: All sensitive information, including PHI and personal data, is encrypted at all times throughout its lifecycle.
• Rigorous access control and isolation: IAM roles, VPC policies, and security groups are meticulously configured to ensure only authorised services and users can access restricted data sets.
• Comprehensive audit trails: Full logs of all data access and system activity are maintained, providing essential audit trails for compliance reporting, internal reviews, and regulatory requirements.
• HIPAA-eligible service utilisation: We exclusively utilise AWS services that are covered by the AWS Business Associate Agreement (BAA), meeting the requirements for handling protected health information.

Enterprise-grade security for organisations of all sizes

We believe robust security and compliance should not be limited to large enterprises. mycomplaints.ai delivers enterprise-grade security capabilities to organisations of all sizes, designed to be effective without adding unnecessary operational complexity.

Whether you are implementing complaint management for the public sector, scaling internal case-handling processes, or launching a sensitive customer feedback channel, you can have full confidence in our platform to keep your data safe and secure.

Need more information about our security?

Please contact us to request further technical documentation, certification information, or support for procurement and due diligence processes.