Security at every layer.
Greene Comply is built for environments where security isn't optional. Here's exactly how we earn the trust we ask for.
What we actually mean by 'secure by default'.
Zero plaintext storage
API keys and delegate tokens are stored as SHA-256 hashes only. Never logged, never retrievable. We literally cannot leak what we don't have.
Tenant-scoped data
Customer data is partitioned so each organization only ever reads its own rows — enforced server-side, not just in the UI.
Identity-anchored decisions
Government ID verification in the browser before any policy context goes live — so every approved spend maps to a verified human owner.
Immutable audit trail
Every policy change, freeze, and authorization decision is signed and logged with timestamp, actor, and reason. Append-only.
Atomic policy engine
Identity, period budget, vendor rules, and category checks run in one decision pass — you never land in a half-approved state.
Emergency kill switch
One action freezes every policy context and revokes every active delegate token, instantly. Recoverable, but stops bleeding in seconds.
Boring stack, on purpose.
Where we are. Where we're going.
Found something? Tell us first.
We pay attention. If you've found a security issue — actual or suspected — please email us before disclosing publicly. We'll respond within one business day, work with you on a fix, and credit you when the patch ships.
Want the full security questionnaire?
Standard SIG, CAIQ, and a custom DPIA available on request for Enterprise customers.