This document describes how Comply protects merchants and end-user data, the cloud foundation on which the service runs, and our current certification status. It is intended to support the security and governance reviews carried out by merchants and their partners. We aim to be transparent about both what we do and do not have in place.
Certification status
Comply does not currently hold an application-level SOC 2 or ISO/IEC 27001 certification. We prefer to state this plainly rather than imply otherwise.
However, Comply is built entirely on Microsoft Azure and inherits the controls and independent certifications of that platform (see Section 2). On top of that certified foundation, we operate a deliberately minimal, network-isolated architecture (Section 3) and apply least-privilege access governance (Section 5).
Comply has achieved NF525 Category B certification in France through an Infocert audit, with certification number 525/0700-1, and is fully compliant with the requirements in Spain.
Certified Cloud Foundation
Comply application runs exclusively on Microsoft Azure infrastructure. Under the cloud shared-responsibility model, the physical security of the data centers, the underlying hardware, and the platform services we consume are operated and independently audited by Microsoft.
Microsoft Azure (hosting)
The Azure platform maintains a broad set of independent attestations, including SOC 1, SOC 2 and SOC 3, and ISO/IEC 27001, among others. These cover the infrastructure and platform layers that underpin Comply. Your team can verify the current scope and download the underlying audit reports directly from Microsoft:
Microsoft Trust Center: Microsoft Trust Center | Data Security, Privacy, and Compliance
Service Trust Portal (audit reports): Service Trust Portal
Comply is responsible for the security of everything built on top of that foundation (application code, configuration, data handling, and access), which the remaining sections describe.
Shopify (commerce platform)
Comply runs as an application within the merchant’s Shopify store. The commerce, checkout, and payment layers are provided and secured by Shopify, which maintains the following independent credentials:
• PCI DSS Level 1. Shopify holds PCI DSS Level 1 certification, the highest level defined by the PCI Security Standards Council for secure handling of payment card data.
• SOC 2 Type II / SOC 3. Shopify has issued SOC 2 Type II and SOC 3 reports covering the security and availability of its service.
Because payment card data is processed within Shopify’s PCI-certified environment, cardholder data is not handled by Comply. Comply works with order and fiscal transaction data required for compliance reporting, not having access to raw payment credentials.
More information: Viewing Shopify's compliance reports
Hosting and network architecture
Comply is designed to minimize its attack surface. The guiding principle is that nothing is exposed to the public internet except a single, controlled entry point.
Single ingress point. All inbound traffic enters through a single Azure Front Door instance, implementing a firewall with managed rules. No other component of the platform is reachable from the public internet.
Network isolation. Application services, background jobs, and data stores run inside a private Azure Virtual Network. Internal components communicate over private networking and have no public endpoints.
Compute. Application workloads run on Azure App Service and Azure Container Apps within the isolated virtual network.
Data store. Application and transactional data are stored in Azure.
The table below summarizes the hosting model:
Layer | Implementation |
Edge / ingress | Single Azure Front Door instance; sole public entry point. Secured with firewall and Azure managed rules |
Network | Private Azure Virtual Network; no public endpoints on internal services |
Compute | Azure App Service and Azure Container App Jobs |
Data | Azure DB and Storage components |
Cloud provider | Microsoft Azure (SOC 1/2/3, ISO/IEC 27001 certified) |
Data protection
Customer and end-user data is protected in transit and at rest:
Encryption. Traffic to and within the platform is encrypted using TLS. Data at rest is encrypted using Azure-managed encryption across the storage and database services we use.
Key and secret management. Cryptographic keys and application secrets are held in Azure Key Vault, with hardware security module (HSM) backing used for sensitive signing operations.
Data residency. Comply is operated from EU Azure regions, supporting data residency requirements relevant to European merchants and their end users.
Immutable fiscal archival. Where fiscal regulations require it, transactional records are retained in tamper-evident, write-once (WORM) storage to preserve their integrity over the required retention period.
All data is provided exclusively by Shopify or required within the Comply application, having no external partners or data sharing.
Access control and governance
Managed identities. Azure Managed Identities are used in place of credentials or secrets to provide secure, identity-based authentication and minimize the management and exposure of sensitive credentials.
Restricted administration. Administrative access to the cloud environment is restricted to authorized personnel only.
Least privilege. Access to Azure resources is governed through Azure Role-Based Access Control (RBAC), enforcing least-privilege access to the environment.
Logging and monitoring. Platform and resource activity is logged through Azure's native monitoring and diagnostic services to support operational visibility, auditability and investigation.
Fiscal compliance context
Comply is a fiscal compliance platform. For regulated merchants, the integrity and auditability of fiscal records are often a more material concern than a generic security badge.
Comply implements the technical requirements of the regimes it supports, covering record integrity (hash chaining), immutability, digital signing, and long-term archival. These mechanisms are designed so that fiscal records remain complete, sequential, and tamper-evident, which directly supports the assurance objectives behind information-security governance reviews.