Trust & Security

Compliance & Certifications

Structured security. Proven governance.

Complexio maintains a comprehensive Information Security Management System (ISMS) and is actively pursuing industry-standard certifications to provide independent assurance to customers in highly regulated industries.

A systematic approach to security governance.

Our ISMS provides the operational framework for managing information security across development, internal operations, customer data handling, and cloud infrastructure. It encompasses 15 policy domains:

  1. Information Security Policy
  2. Organisation of Information Security
  3. Human Resource Security
  4. Asset Management
  5. Access Control
  6. Cryptography
  7. Physical and Environmental Security
  8. Operations Security
  9. Communications Security
  10. System Acquisition, Development and Maintenance
  11. Supplier Relationships
  12. Information Security Incident Management
  13. Business Continuity Management
  14. Compliance
  15. Data Protection and Privacy

Certifications & Attestations

In Progress — Target: 2026

ISO 27001

We are actively implementing the controls required under ISO/IEC 27001 and preparing for our certification audit. Our ISMS has been designed to align with the applicable Annex A controls and certification requirements.

Aligned

GDPR

Complexio is fully compliant with the General Data Protection Regulation. We operate as a data processor and execute DPAs with all customers.

Planned

SOC 2 Type II

SOC 2 Type II certification is under consideration as a future certification milestone.

Aligned

EU AI Act

Our AI systems are designed in alignment with the EU AI Act requirements, including transparency, human oversight, and risk classification.

Meeting the standards your industry demands.

GDPR

  • Data Processing Agreements (DPAs) are executed with all customers.
  • Privacy by design and by default embedded in product development.
  • Data minimisation, PII masking, and retention controls are enforced at the platform level.
  • Support for DSARs, right to erasure, and data portability.

EU AI Act

  • Risk classification of all AI systems within the Complexio platform.
  • Transparency documentation and human oversight mechanisms.
  • No use of prohibited AI practices (social scoring, manipulation, real-time biometric identification).
  • Conformity assessment framework and documentation in active development ahead of August 2026 enforcement.

Industry-Specific

  • Our architecture supports deployment within environments that must meet sector-specific regulations (e.g. maritime, energy, insurance).
  • Customers in regulated industries can layer their own compliance controls on top of Complexio’s baseline security.

Resilient by design.

  • Business Impact Analysis (BIA) — we have identified critical systems and defined recovery priorities.
  • Disaster recovery — documented DR procedures with defined RPO and RTO targets for all critical services.
  • Scheduled drills — we conduct periodic disaster recovery and incident response drills to validate our readiness.
  • Recovery assurance — backup restoration is tested regularly to ensure data can be recovered within defined targets.