Reference
Data privacy & security
A plain-English summary of how Compass protects your data. The full technical statement — the source of truth for our Xero certification pack — is at /uk/security.
The essentials
- Data controller: Digital Tactics Ltd, registered at 5 Boundary Road, Hove, East Sussex BN3 4EH.
- ICO registration: Z2807798. See the ICO register.
- Region: All customer data hosted in AWS London (
eu-west-2). - Encryption at rest: Everything — DynamoDB, S3, backups, logs — is encrypted with a customer-managed AWS KMS key that we rotate annually.
- Encryption in transit: TLS 1.2+ on every connection. TLS 1.0 and 1.1 disabled.
- Breach notification: ICO within 72 hours per UK GDPR Art. 33; affected users without undue delay where the risk is high.
How your Xero tokens are stored
Xero access and refresh tokens are the highest-value secret we hold. We store them in DynamoDB, encrypted a second time inside the row payload by a KMS envelope key that is bound to your Cognito user ID as an encryption context.
That last bit is worth understanding: even someone with broad DynamoDB read access
cannot decrypt a token for the wrong user — the KMS decrypt call fails because
the encryption context does not match. If we ever detect a context mismatch on
decrypt, the API hard-fails with a documented error code (token_context_mismatch)
and pages on-call. The failure never auto-heals — a real
cross-user access attempt cannot be masked as a retryable transient error.
We deliberately chose DynamoDB + KMS over S3 or AWS Secrets Manager. Full rationale in section 4 of the Security Statement.
How your scans are stored
Each scan produces a JSON blob (all the insights, all the metrics, all the widget
data) which sits in S3 under a per-user prefix:
users/{your Cognito user id}/scans/{scan id}.json.
S3 versioning and SSE-KMS with the app CMK apply. Only you can read your own scan
blobs — the IAM policy on the bucket enforces the prefix scoping.
Cached scans stay viewable free forever, even if you cancel. You can purge individual scans from your account settings at any time.
Authentication
- Passwords: minimum 8 characters with mixed case, digits and symbols. Every password checked against the HaveIBeenPwned breach corpus using k-anonymity — we never see your password or its full hash.
- Email verification: enforced. You cannot sign in until the verification link is followed. Links are valid for 24 hours.
- MFA: optional TOTP via any authenticator app. No SMS MFA — SIM-swap risk is materially higher for an account holding Xero credentials.
- Google / Microsoft sign-in: supported via OIDC through locale-agnostic callback URLs.
- Sessions: httpOnly cookies scoped to
.customercompass.ai,Secure,SameSite=Lax. HSTS enabled with 12-month max-age and includeSubDomains.
What we log
Every state-changing event is recorded in your per-user audit log with a 12-month rolling retention. Actions covered: sign-in, Xero connect, Xero disconnect, scan run, action approved, subscription changed, account deleted, credits purchased, credits consumed, credits refunded. Each entry carries a timestamp, before/after JSON where relevant, and any correlation ID from Stripe or Xero.
You can request an export of your own audit log by emailing chris@digitaltactics.co.uk.
Sub-processors
- AWS (eu-west-2) — infrastructure hosting for all customer data.
- Anthropic — LLM that drafts the wording of insights and actions. Only insight metadata is sent — no full invoices, no personal names, no bank information.
- OpenAI — fallback LLM with the same restricted payload shape.
- Stripe Payments UK Ltd — payment processing. Card data never touches our systems.
- Xero Ltd — the accounting platform you connect.
- Amazon SES — transactional email delivery.
- Microsoft 365 — inbound support email hosting for
support@customercompass.ai. - Google Analytics 4 — anonymised metadata only, opt-in, UK-region data, IP anonymisation on.
Full sub-processor list with data categories in the Privacy Policy.
Vulnerability management
Automated static analysis and dependency-vulnerability scanning run on every pull request. Critical CVEs affecting the production stack are triaged within one business day and patched inside seven days where a fix exists. We commit to an annual third-party penetration test — the first cycle is scheduled inside the marketplace-launch programme.
No public bug bounty at launch. Security disclosures to chris@digitaltactics.co.uk.
Data retention and deletion
- Xero token bundle: stored until you disconnect Xero or delete your account. Deletion immediately tombstones the ciphertext.
- Scan blobs: retained indefinitely for your own viewing. You can purge specific scans anytime.
- Audit log: 12 months rolling retention.
- Telemetry (opt-in): 24 months rolling retention, append-only.
- Account deletion: triggerable from account settings; a delete-worker verifies ownership by decrypting your token with your Cognito sub, then purges every table + S3 prefix belonging to you within seven days.
Your rights (UK GDPR)
You have the right to access, rectify, delete, restrict processing, port, object, and to withdraw consent — all of which you can exercise by emailing chris@digitaltactics.co.uk. Standard requests are actioned within one calendar month.
Full rights + how-to-exercise + who-to-complain-to at /uk/privacy.
Read more
- Full Security Statement — the source of truth for the Xero certification pack.
- Privacy Policy — UK GDPR / DPA 2018 in full.
- Terms of Service — commercial contract.