Composure handles sensitive client communications and service data. We take that responsibility seriously — with enterprise-grade security, UK and EU data residency, and governance controls designed for professional MSP operations.
We understand that MSPs handle sensitive client information and that data residency matters to both you and your clients. Composure is built on infrastructure entirely within the UK and EU.
All customer data is stored and processed exclusively in certified UK and EU data centres. No data is transferred to or stored in any jurisdiction outside the EEA.
All data stored by Composure is encrypted at rest using AES-256 encryption. Database encryption, file storage encryption, and backup encryption are all applied consistently.
All data transferred between Composure and your browsers, our APIs, and delivery channels is protected by TLS 1.3. We enforce HTTPS across all endpoints.
Granular role-based access controls ensure that team members can only access the data and functionality their role requires. Permissions are configurable per user.
Multi-factor authentication is available and strongly recommended for all Composure accounts. Admins can enforce MFA for all users within their organisation.
Every action taken within Composure — communications sent, edits made, approvals given, logins performed — is recorded in an immutable audit log. Retained for a minimum of 12 months.
Composure is built with GDPR requirements in mind throughout — from data minimisation to sub-processor transparency. We don't treat compliance as an afterthought.
Composure only collects and processes the data it needs to provide the service. We don't retain data beyond its stated purpose.
We publish a full list of sub-processors — the third-party services involved in processing your data. You'll be notified of any changes to this list.
A GDPR-compliant Data Processing Agreement is available to all customers. Contact us to obtain a signed DPA for your records.
We provide tooling and processes to support your GDPR obligations around subject access requests, erasure requests, and data portability.
Data retention periods are defined and enforced. Audit logs are retained for 12 months minimum. Communication records are retained for 24 months by default and configurable to your needs.
When Composure sends communications on your behalf, they are delivered professionally, reliably, and in compliance with email authentication standards.
All outbound emails are authenticated using industry-standard SPF, DKIM, and DMARC protocols — protecting your reputation and ensuring deliverability.
Composure uses a dedicated sending infrastructure with a managed sender reputation — ensuring your communications reach inboxes, not spam folders.
Composure is AI-assisted, not AI-autonomous. Every client communication requires human approval before it is sent — full stop. This is not a configurable default; it is how the platform works.
Post-incident reports pass through a structured three-stage approval workflow before being sent to clients. Nothing leaves without the right sign-off.
Before any communication is queued for approval, Composure reviews it for inappropriate language, blame language, or oversharing of sensitive technical information — flagging issues for human review.
See exactly what was sent, when it was sent, whether it was delivered, and whether it was opened — for every communication, to every contact.
If you have specific security, compliance, or data protection requirements for your MSP, speak to our team. We can provide documentation, arrange security reviews, and sign DPAs for enterprise requirements.