Static site, strict runtime.

ComplyEaze Tools is deployed as a static container with no application backend, no accounts, no database, no analytics, and no document upload surface.

Runtime controls

Production runs a static container with a read-only filesystem, non-root user, no workload secrets, no service account token, and a default-deny egress NetworkPolicy.

Supply chain

Releases are built from the public repository, pushed to GHCR, and deployed by immutable image digest. The publish workflow emits SBOM and provenance evidence for the container image.

Report privately

Send security or privacy reports to security at complyeaze dot com with synthetic reproduction steps. Do not open public issues with taxpayer identifiers, credentials, portal screenshots, or document contents.

Testing boundary

Good-faith testing should avoid denial-of-service, credential capture, data exfiltration, persistence, social engineering, and access to data that does not belong to you.