Runtime controls
Production runs a static container with a read-only filesystem, non-root user, no workload secrets, no service account token, and a default-deny egress NetworkPolicy.
ComplyEaze Tools is deployed as a static container with no application backend, no accounts, no database, no analytics, and no document upload surface.
Production runs a static container with a read-only filesystem, non-root user, no workload secrets, no service account token, and a default-deny egress NetworkPolicy.
Releases are built from the public repository, pushed to GHCR, and deployed by immutable image digest. The publish workflow emits SBOM and provenance evidence for the container image.
Send security or privacy reports to security at complyeaze dot com with synthetic reproduction steps. Do not open public issues with taxpayer identifiers, credentials, portal screenshots, or document contents.
Good-faith testing should avoid denial-of-service, credential capture, data exfiltration, persistence, social engineering, and access to data that does not belong to you.