Security is not a feature. It's the foundation.
Compass is built for organizations that cannot afford a security incident. Defence industrial groups. Banks and credit institutions. Private equity firms. Government agencies. This page describes how Compass approaches security as a structural property, not a marketing claim.
Your data stays yours.
Not a single byte trains any external model.
Sovereignty. Encryption. Control. Auditability.
Every security decision in Compass derives from these four principles.
Built in Europe, hosted in Europe, operated under European jurisdiction.
Compass is operated by MarketLabs S.r.l., a Rome-based company under Italian and European jurisdiction. All production hosting is in EU data centers. No US cloud dependencies in our default deployment. On-premise and air-gapped deployment options are available for customers with strict sovereignty requirements.
Data encrypted at rest and in transit, end to end.
All data at rest is encrypted using AES-256. All data in transit uses TLS 1.3. Customer-controlled encryption keys (BYOK) available for enterprise deployments. Sensitive fields support additional application-layer encryption with customer-managed keys.
Role-based access at every layer. Multi-tenant isolation by design.
Granular role-based access control across organizations, projects, entities, and individual fields. Multi-tenant architecture with strict logical separation — different customers' data never touches at the database level. SSO via SAML and OAuth supported. Audit logs on every access event.
Time Machine: every action, every signal, every state change traceable.
Compass's Time Machine capability preserves a complete audit trail of every entity state, every signal ingested, every user action, every AI decision. Forensic reconstruction of any historical moment in the platform takes seconds, not days. Designed for environments where accountability outlasts the people who made the decisions.
Choose the deployment that fits your risk model.
Different organizations have different operational and regulatory constraints. Compass offers three deployment models to fit them.
EU Cloud (Default)
- • Hosted in EU data centers (Frankfurt, Milan)
- • Multi-tenant SaaS with strict isolation
- • Best fit: Mid-market commercial teams, growing organizations, standard enterprise use cases
- • Time to deploy: Hours
Dedicated Private Cloud
- • Single-tenant deployment in EU cloud infrastructure of customer's choice (AWS EU, Azure EU, GCP EU, or sovereign cloud providers like OVHcloud, Aruba)
- • Customer-controlled encryption keys
- • Best fit: Large enterprise, regulated financial services, organizations with strict data residency requirements
- • Time to deploy: Days to weeks
On-Premise / Air-Gapped
- • Deployment inside customer's own infrastructure
- • Air-gapped option available (no external network connectivity)
- • Best fit: Defence, intelligence, government, classified environments
- • Time to deploy: Weeks (engagement-based)
Built to meet the standards regulated industries require.
Compass is engineered to support compliance with European and sector-specific frameworks. Certifications below reflect current status and roadmap.
| Framework | Status |
|---|---|
| GDPR | ✅ Compliant by design — see GDPR page |
| EU AI Act | ✅ Aligned with applicable provisions — see AI Act page |
| ISO 27001 | 🟡 In progress — certification expected [TO BE VALIDATED — target date] |
| SOC 2 Type II | 🟡 On roadmap — targeted for [TO BE VALIDATED — target year] |
| NIS 2 | ✅ Aligned with directive obligations |
| Defence-grade audit (sector-specific) | 🟡 Available on engagement basis for defence customers |
Certifications evolve. Contact us for our current security pack with up-to-date status, audit reports (where applicable), and answers to security questionnaires (SIG, CAIQ, custom).
Five commitments about your data.
These principles are not negotiable. They apply across all deployment models, all customer types, all contracts.
1. Your data stays yours.
MarketLabs claims no ownership rights over customer data. Customer data is processed solely to deliver the Compass service to that customer. Period.
2. Your data does not train our models.
Customer data is not used to train any general-purpose AI model, neither ours nor any third party's. Model improvements happen only on synthetic data, on opted-in research datasets, or on customer-specific fine-tuning within that customer's tenant.
3. We use a limited, vetted set of subprocessors.
[TO BE VALIDATED] The full list of subprocessors is published on this page and in our DPA. Major subprocessors include [hosting providers], [LLM providers], [data enrichment providers like Cerved]. We notify customers 30 days in advance of any subprocessor change.
4. We breach-notify within 96 hours.
In the event of a data breach affecting personal data, we notify affected customers and supervisory authorities within 96 hours of becoming aware, in line with current GDPR and EU Digital Omnibus requirements.
5. We support data portability and deletion.
Customers can export their data at any time in standard formats (JSON, CSV, structured API). Upon contract termination, customer data is deleted from production within 30 days and from backups within 90 days, in line with our DPA.
Found a vulnerability? We want to hear from you.
Compass operates a responsible disclosure program. Security researchers who identify potential vulnerabilities can contact us at security@marketlabs.io. We commit to acknowledge within 48 hours, assess within 7 days, and remediate confirmed issues with appropriate urgency. [TO BE VALIDATED — bug bounty program details if applicable]
Get our complete security pack.
For procurement reviews, security questionnaires, or due diligence: request our complete security pack. It includes our DPA template, subprocessor list, certification status, penetration test summaries (where applicable), and answers to standard security frameworks (SIG, CAIQ).