Keep your data safe with Compa

Compa’s platform and infrastructure are hosted on Amazon Web Services (AWS) in the United States. All customer and market data are processed within secure, access-controlled environments that meet leading industry security and privacy standards.

Data processing is performed in accordance with our Master Services Agreement (MSA) and Data Processing Addendum (DPA), and in compliance with GDPR, CCPA, and other applicable data protection regulations.

Compa supports customers’ regional and contractual requirements for data residency, retention, and deletion, and provide supporting documentation through the Compa Trust Center.

Subprocessors

Compa engages a limited number of trusted subprocessors—third-party service providers that support infrastructure and platform operations. Each subprocessor is carefully vetted for security, privacy, and regulatory compliance, and is bound by written data protection terms consistent with Compa’s contractual and legal obligations.

A current list of approved subprocessors, including their purpose and geographic location, is maintained and publicly available in the Compa Trust Center.

No. SOC 1 Type 2 does not apply to Compa’s business or services.

SOC 1 reports are designed for organizations that provide financial reporting-related services, such as payroll processors or accounting platforms whose controls could impact a customer’s financial statements. Because Compa does not process or influence customers’ financial reporting data, a SOC 1 audit is not applicable.

Compa engages an independent, third-party security firm to conduct a formal penetration test annually.

Each assessment includes both application-level and infrastructure-level testing, performed against our production environment in accordance with industry best practices such as OWASP Top 10 and NIST methodologies. Findings, if any, are tracked to resolution through Compa’s secure development lifecycle and verified as remediated.

A summary of the most recent penetration test results is available to customers under NDA through the Compa Trust Center.

Yes. All Compa employees complete security and privacy training as part of their onboarding process.

Compa also provides annual refresher training and additional topical or role-based sessions as needed to reinforce key concepts and support continuous awareness.

This training ensures that every employee understands their responsibilities in protecting customer data and maintaining Compa’s high security and privacy standards.

For many years, U.S. Department of Justice (DOJ) and Federal Trade Commission (FTC) guidance led HR leaders to believe that compensation data could only be shared if it was aggregated and at least 90 days old. That standard shifted in February 2023, when the DOJ withdrew its 1996 Healthcare Safe Harbor statement. Then, in January 2025, the DOJ and FTC also rescinded the 2016 Antitrust Guidance for Human Resource Professionals.

These actions reflect an evolving regulatory environment and a move away from rigid “safe harbor” assumptions toward a broader, case-by-case evaluation of how compensation data is shared. While the specific safe harbor criteria no longer apply, the agencies’ enforcement focus remains the same—preventing employer collusion and protecting healthy competition in labor markets.

Compa’s approach aligns with both the spirit and the intent of current DOJ and FTC enforcement priorities. The Compa platform uses aggregated, anonymized compensation data from hundreds of participating employers, with robust safeguards to ensure statistical sufficiency, data privacy, and fair-market representation. This design supports transparent, competitive, and compliant pay practices—without enabling coordination or restricting competition.Compa’s solution is built for trust and compliance. Acting as a neutral third-party intermediary, Compa replaces risky one-to-one data exchanges with a secure, automated system validated by independent experts at NCC Group. The platform’s secure-by-design architecture prevents disaggregation or re-identification of data, applies parallel adoption rules to delay new data releases until it can be combined with data from other employers, and enforces visibility thresholds. Compa’s multi-layered aggregation and dominance controls ensure that no single employer can influence market outputs. These built-in safeguards, coupled with a privacy-by-default model and continuous compliance monitoring, give customers confidence that market insights remain competitive, compliant, and safe.

Compa is built with privacy by design. Our platform and processes are designed to protect both employer and candidate information, without relying on personally identifiable information (PII). Compa does not require, process, or store PII as part of market data generation.

Our commitments to privacy and data protection are formalized in Compa’s Master Services Agreement (MSA) and Data Processing Addendum (DPA), and are backed by our compliance with GDPR and other leading data privacy standards.

At the platform level, Compa applies multi-layered privacy and data sufficiency controls to ensure data integrity and prevent re-identification:

• Minimum participant thresholds (n-counts): Market data is only shown when sufficient data points are available across selected dimensions (such as job family, level, and location).
• Weighted data modes: Users can view aggregated data either by number of offers (“weight by offers”) or by participating companies (“weight by companies”), ensuring balanced representation.
• Market share limits: No single company ever represents more than a small, defined percentage of any aggregated market dataset.
• Peer group protections: Data visibility requires a minimum number of participating companies, and additional contribution percentage thresholds prevent any one participant from dominating a peer group.

These safeguards ensure that every insight derived from Compa reflects a statistically valid, anonymous view of the market—never the data of an individual company or person.

For more details, visit our Trust Center, where you can access privacy documentation, certifications, and security reports.

Yes. Compa complies with both the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR).

Under these frameworks, Compa acts as a data processor, while Compa’s customers remain the data controllers. This means customers retain full ownership and control over their data. Compa processes data strictly in accordance with customer instructions and the terms outlined in our Data Processing Addendum (DPA).

Compa’s privacy program is built on a privacy-by-design foundation. Compa does not require or use personally identifiable information (PII) to generate market data. All data within the Compa platform is aggregated, anonymized, and governed by strict access controls, ensuring compliance with applicable data protection laws.

Compa also supports customers in fulfilling their privacy obligations, including data subject rights requests and other CCPA or GDPR requirements, as needed.

For more information, visit the Compa Trust Center to access privacy documentation and compliance certifications.

Yes. Compa is SOC 2 Type 2 certified.

Compa’s independent SOC 2 Type 2 audit, conducted by an accredited third party, verifies that Compa maintains effective controls aligned with the AICPA Trust Services Criteria for security.

This certification demonstrates Compa’s commitment to safeguarding customer data through continuous monitoring, formalized policies, and secure-by-design engineering practices.

The current SOC 2 Type 2 report and supporting compliance documentation are available through the Compa Trust Center.

Yes. Compa uses industry-standard encryption to protect all customer data both in transit and at rest.

• In transit: All data transmitted within or to the Compa platform is encrypted using TLS 1.2 or higher.
• At rest: All stored data, including backups, is encrypted using AES-256 encryption.

Encryption is always on throughout every transport tier and storage layer of the Compa platform. These controls are enforced by default and continuously monitored as part of our SOC 2 Type 2 security program.

Compa uses AWS-owned encryption keys, which are fully managed by Amazon Web Services (AWS).

This model ensures that encryption is always on by default across all AWS services used by Compa, including data stored in S3, EBS, and RDS. AWS-owned keys are automatically created, stored, rotated, and secured by hardware security modules (HSMs) that meet FIPS 140-3 criteria.

Because key management is handled entirely by AWS, Compa inherits AWS’s strong, continuously validated encryption and key protection controls without requiring any manual key configuration or rotation. All encryption at rest and in transit within the Compa platform leverages these AWS-managed safeguards.

Access to customer data within Compa is strictly limited and governed by the principle of least privilege.

A restricted group of authorized personnel may access customer data when required for legitimate operational reasons such as system maintenance, customer support, or security investigations. All access is role-based, logged, and continuously monitored.

Compa employees do not have access to customer market data content beyond what is necessary to operate and secure the platform. Production data access requires multi-factor authentication, approval, and is protected through network segmentation and strong identity controls.

Compa does not sell, share, or use customer data for any purpose other than delivering the contracted services.

More information about Compa’s security, privacy, and compliance program can be found in the Compa Trust Center.

The Trust Center provides access to Compa’s security documentation, certifications, audit reports, and policies, along with real-time updates on the company’s compliance posture and data protection practices.