Vulnerability Disclosure Policy

AIComply is committed to ensuring the security of our platform and the data our customers entrust to us. We welcome and encourage responsible security research and vulnerability disclosure from the security community. This policy outlines how to report vulnerabilities and what you can expect from us.

This policy applies to vulnerabilities in:

• The AIComply web application (app.aicomply.eu)
• AIComply REST APIs (api.aicomply.eu)
• AIComply public website (www.aicomply.eu)
• Supporting infrastructure directly operated by AIComply

Out of scope: Third-party services (Stripe, Supabase, Anthropic), social engineering attacks, denial-of-service attacks, and physical security.

When reporting a vulnerability, please include:

• A clear description of the vulnerability and its potential impact
• Detailed steps to reproduce the issue
• Affected component (URL, API endpoint, feature)
• Your assessment of severity (Critical / High / Medium / Low)
• Any proof-of-concept code or screenshots

For sensitive reports, you may encrypt your message using our PGP key available at https://aicomply.eu/.well-known/pgp-key.asc

We believe in recognising security researchers who help us protect our platform and our customers. With your permission, we will acknowledge your contribution on this page. We currently do not offer a monetary bug bounty programme, but may introduce one in the future.

This vulnerability disclosure policy is maintained in compliance with Article 11 of the Cyber Resilience Act (EU) 2024/2847, which requires manufacturers of products with digital elements to establish and maintain a coordinated vulnerability disclosure policy. Actively exploited vulnerabilities will be reported to ENISA within 24 hours as required by Article 14(2)(a).