Book a demoStart free trial
Security & trust

Security built for the MSP environment

Composure handles sensitive client communications and service data. We take that responsibility seriously — with enterprise-grade security, UK and EU data residency, and governance controls designed for professional MSP operations.

UK & EU data residency AES-256 encryption GDPR compliant
Infrastructure and data

Your data stays in the UK and EU — full stop

We understand that MSPs handle sensitive client information and that data residency matters to both you and your clients. Composure is built on infrastructure entirely within the UK and EU.

UK & EU data residency

All customer data is stored and processed exclusively in certified UK and EU data centres. No data is transferred to or stored in any jurisdiction outside the EEA.

Encryption at rest

All data stored by Composure is encrypted at rest using AES-256 encryption. Database encryption, file storage encryption, and backup encryption are all applied consistently.

Encryption in transit

All data transferred between Composure and your browsers, our APIs, and delivery channels is protected by TLS 1.3. We enforce HTTPS across all endpoints.

Role-based access control

Granular role-based access controls ensure that team members can only access the data and functionality their role requires. Permissions are configurable per user.

Multi-factor authentication

Multi-factor authentication is available and strongly recommended for all Composure accounts. Admins can enforce MFA for all users within their organisation.

Immutable audit logging

Every action taken within Composure — communications sent, edits made, approvals given, logins performed — is recorded in an immutable audit log. Retained for a minimum of 12 months.

GDPR and data protection

Designed to support your compliance obligations

Composure is built with GDPR requirements in mind throughout — from data minimisation to sub-processor transparency. We don't treat compliance as an afterthought.

Data minimisation by design

Composure only collects and processes the data it needs to provide the service. We don't retain data beyond its stated purpose.

Sub-processor transparency

We publish a full list of sub-processors — the third-party services involved in processing your data. You'll be notified of any changes to this list.

Data Processing Agreement (DPA)

A GDPR-compliant Data Processing Agreement is available to all customers. Contact us to obtain a signed DPA for your records.

Data subject rights support

We provide tooling and processes to support your GDPR obligations around subject access requests, erasure requests, and data portability.

Retention policies

Data retention periods are defined and enforced. Audit logs are retained for 12 months minimum. Communication records are retained for 24 months by default and configurable to your needs.

Our security commitments

No data ever leaves the UK and EU
Security incidents disclosed within 72 hours in accordance with GDPR requirements
Regular security testing and penetration testing
We do not sell or share your data with third parties for any commercial purpose
Access to production environments is restricted and logged
Email delivery and governance

Professional email delivery built in

When Composure sends communications on your behalf, they are delivered professionally, reliably, and in compliance with email authentication standards.

SPF, DKIM, and DMARC

All outbound emails are authenticated using industry-standard SPF, DKIM, and DMARC protocols — protecting your reputation and ensuring deliverability.

Managed sender reputation

Composure uses a dedicated sending infrastructure with a managed sender reputation — ensuring your communications reach inboxes, not spam folders.

Human approval before every send

Composure is AI-assisted, not AI-autonomous. Every client communication requires human approval before it is sent — full stop. This is not a configurable default; it is how the platform works.

Approval workflows for reports

Post-incident reports pass through a structured three-stage approval workflow before being sent to clients. Nothing leaves without the right sign-off.

Sentiment and language review

Before any communication is queued for approval, Composure reviews it for inappropriate language, blame language, or oversharing of sensitive technical information — flagging issues for human review.

Full delivery and engagement reporting

See exactly what was sent, when it was sent, whether it was delivered, and whether it was opened — for every communication, to every contact.

Questions about security?

We're happy to discuss our security posture in detail

If you have specific security, compliance, or data protection requirements for your MSP, speak to our team. We can provide documentation, arrange security reviews, and sign DPAs for enterprise requirements.

Contact our team Request security documentation