Compass — IT Security Overview

Jun 2026

Supplier: Class Legal

Platform: Compass

Enquiries: info@classlegal.com

Class Legal supplies Compass to law firms. This document answers the IT security, data protection, hosting, and AI governance questions firms typically ask when evaluating the platform: how data is protected, where it is processed, who can access it, and how AI-assisted research features are governed.

Contents

1. Data protection & GDPR

2. Clouding Hosting & infrastructure

3. Service access, encryptions & SLAs

4. AI Governance & model use

  • Technical production
  • Security & Compliance
  • Ethics

1. Data protection & GDPR

Q1.1. How long is personal data processed through Compass retained?

Data retention periods are defined in the applicable Compass service terms and data processing arrangements. In line with Class Legal's privacy policy, personal information is stored for no longer than necessary.

Q1.2. Can specific data be deleted on request?

Data can be deleted on request in line with those arrangements, and individuals also have the right to erasure as described in the privacy policy.

Q1.3. What process does Compass use for destruction of physical and electronic personal data?

Electronic data is securely deleted via cryptographic erasure or secure wipe. Compass does not handle physical records containing personal data.

Q1.4. Where can we find Class Legal's privacy policy?

Class Legal's privacy policy is published at classlegal.com/pages/privacy-policy.

Q1.5. What sub-processors are used to operate Compass?

Sub-processors used to operate Compass currently include:

  • Stackfix (software development and technical operation of Compass, UK)
  • Neon for managed PostgreSQL database hosting (on AWS infrastructure, UK, London)
  • AWS for user authentication (Amazon Cognito)
  • Cloudflare (UK/EU) and Railway (EU) for application infrastructure
  • Google Vertex AI for AI inference where AI features are enabled

An updated sub-processor list can be provided on request.

Q1.6. Are Compass sub-processors UK GDPR compliant?

Compass puts appropriate contractual measures in place with relevant sub-processors, including DPAs and transfer mechanisms where required.

Q1.7. Where is data processed and stored when using Compass?

Application data is stored in a PostgreSQL database hosted on AWS in the UK (London). Other application infrastructure may be hosted in additional regions as described in the Cloud hosting section.

Q1.8. Please confirm the legal basis upon which data is transferred outside the UK (e.g. Standard Contractual Clauses).

Where personal data is transferred outside the UK, Compass relies on appropriate transfer mechanisms such as the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or other lawful transfer mechanisms as applicable to the relevant sub-processor and transfer.

2. Cloud hosting & infrastructure

Q2.1. How are roles enabling access to Compass customer data designed to protect data from unauthorised or malicious access?

Access is restricted to named personnel with individual accounts and MFA where supported. Shared administrative accounts are avoided.

Q2.2. How is customer data segregated within the virtual and network environments?

Customer data is logically segregated in a shared database: rows are scoped to a client or tenant identifier and the application enforces tenant context on queries and writes so one client cannot access another's data. Access to the database is restricted to the application environment and authorised personnel. Isolation is enforced primarily at the application and data-access layer.

Q2.3. How are encryption and associated keys managed within the cloud environment?

AES-256 at rest; database encryption keys are managed by Neon using AWS Key Management Service (KMS). TLS 1.2+ in transit.

Q2.4. How are technical vulnerabilities managed in the cloud environment?

Dependencies and infrastructure are monitored for vulnerabilities. Security patches are prioritised based on severity and exposure.

Q2.5. How is backup managed within the cloud environment?

The Compass database is backed up daily, with each backup retained for 14 days, supporting recovery from accidental change or deletion.

Q2.6. Does Compass rely on any third-party security/privacy policies to provide its service securely (e.g. AWS, Azure)?

Yes. Cloudflare (ISO 27001, SOC 2), Railway (SOC 2 Type 2, GDPR), and Neon (SOC 2, ISO 27001, ISO 27701; GDPR and CCPA compliant), with the Compass database hosted in AWS data centres in the UK (London).

Q2.7. What technical steps are taken to harden the cloud environment from a security perspective?

Least-privilege access, encryption at rest and in transit, monitoring and alerting, restricted administrative access, and no default credentials.

Q2.8. What is the hosting architecture of Compass?

Compass is a managed cloud application. The application runs on Railway, with public traffic fronted by Cloudflare (DNS, reverse proxy, DDoS protection, and TLS at the edge). Application data is stored in a PostgreSQL database hosted on AWS in the UK (London). Where AI features are enabled, AI inference is provided via Google Vertex AI.

3. Service access, encryption & SLAs

Q3.1. Is Compass data encrypted (both at rest and in transit)?

Yes. Encrypted at rest (AES-256) and in transit (TLS 1.2+).

4. AI governance & model use

Technical and product

Q4.1. How does Compass AI work in practice?

Compass uses large language models to process legal research queries and generate structured outputs. The application layer handles prompt construction, context retrieval, and output formatting.

Q4.2. What underlying technologies does Compass AI use?

Large language models accessed via Google Vertex AI, with an application layer for prompt construction, context retrieval, structured output parsing, and integration with the Compass platform.

Q4.3. Which AI models do you use?

This depends on the specific feature requirements; different models are better suited to different tasks. Compass primarily uses Google Gemini via Google Vertex AI, selected for accuracy, data processing terms, and no model training requirements.

Q4.4. Do Compass AI models have access to internet content (live or otherwise)?

This depends on the specific feature requirements. AI models are accessed via API only. Any external data retrieval is handled by the application layer with explicit controls.

Q4.5. How do you ensure the quality and accuracy of outputs generated by AI?

Outputs are validated through prompt engineering, structured output parsing, and application-level checks.

Security and compliance

Q4.6. How do you handle data security and privacy in relation to AI?

Data sent to AI providers is transmitted via encrypted API calls, typically using TLS 1.2 or higher. Where AI features are used, Compass uses commercial terms intended to restrict provider use of client data for model training and puts contractual measures in place as appropriate.

Q4.7. Do you use AI providers that train on our data?

No. Where AI features are used, Compass uses Google Vertex AI under commercial terms under which client data is not used to train models.

Q4.8. Do you use AI providers that log customer data?

No. Compass uses Google Vertex AI under commercial terms under which client data is not logged or retained beyond what is required to process the request.

Q4.9. What security standards do Compass AI capabilities comply with?

Google Vertex AI is operated by Google Cloud, which maintains SOC 2 Type II and ISO 27001 certifications. Compass is operated using the data handling and security practices described in the sections above.

Q4.10. What measures are in place to prevent the AI from generating harmful or inappropriate content?

Prompt engineering includes safety guardrails. Model providers implement content filtering. Application-level validation reduces the likelihood of harmful content reaching users. Compass does not publish material or trigger consequential actions on the user's behalf without explicit user approval; professional judgement stays with the user.

Q4.11. Where and how is data transferred/processed by AI?

Application data is stored in a PostgreSQL database hosted on AWS in the UK (London). Where AI features are used, relevant data is sent to Google Vertex AI for processing. Any international transfers are handled using the applicable contractual transfer mechanisms.

Q4.12. How do you manage updates and improvements to the AI models that you use?

Model updates are evaluated before production use.

Ethics

Q4.13. How do you address ethical considerations and bias related to the use of AI?

Compass mitigates ethical and bias risks through prompt design, feature-level review, structured outputs where appropriate, and user verification measures such as source citations where available. AI outputs are intended to assist, not replace, user judgement.

Q4.14. How does your system mitigate ethical and bias risks related to the use of AI?

Mitigation includes prompt design with safety guardrails, feature-level review before release, structured outputs where appropriate, source citations for user verification where available, and presenting AI-generated content for human review rather than automated publication or consequential action.

Compass is supplied by Class Publishing Limited (trading as Class Legal), company number 2993127, ICO registration ZA047303. Law firms should direct contractual, security, and data protection enquiries to Class Legal at info@classlegal.com. Class Legal's privacy policy, including data subject rights and contact routes, is available at classlegal.com/pages/privacy-policy.