Frequently Asked Questions

What happens when I click the “Send invite” icon next to a person in my People assets?

This will trigger an invitation to the user to create a Comply account. Based on the level of access you assign, you will want to invite users to the Comply account to conduct access control reviews, complete tickets they are assigned to and/or complete compliance and security training.

What if I don't use one of your supported integrations?

If you are unable to take advantage of our current integrations offerings, you can always add assets manually of each type. Check out the Asset Overview for more information.

How can I update a user's email address?

If you need assistance updating a user’s email address, please email [email protected] and provide the user name and email address you wish to update to or contact your Customer Success Manager directly.

How do I invite a user to have access to Comply if they are already added as a person in my assets tab?

  • Click on the Assets tab
  • Under Comply User Status, you are able to Send Invitation
  • User Status Legend:
    • Active: the user has accepted their invitation to Comply and created an account
    • Pending Invitation: the user has been invited to create a Comply account with the past 7 days and still needs to create a login
    • Expired Invitation: if the user was invited and their invitation expires after 7 days, you should see the Resend option to resend the invitation
    • None: the user is currently added as a person, but has not been invited to create a Comply login. Select Send Invitation to invite them to create an account for access.

How do I access training modules?

Training is available to all customers on a separate app, As part of Comply GRC on-boarding we recommend focusing on adding your assets (people, roles, SaaS systems, etc) and reviewing the controls and procedures and then separately adding your employees to if you wish for them to use our annual training.

What do the different data classification levels in Comply mean?

Data classification is a technique to simplify security for your organization by reserving the most stringent controls for the most sensitive data and systems. For example, AWS might host your core data and workloads, and have all kinds of sensitive customer data and PII. You might classify it as Sensitive/Regulated and implement a corresponding access control review policy that says Sensitive/Regulated systems will be checked monthly. For more information check out our asset management guide.

What's the difference between a SaaS System and a Vendor in Comply?

The Vendor asset type in Comply represents the legal entity and is associated with data like contracts (BAAs, SLAs, DPAs, etc.) and workflows like annual vendor reviews. For example if you use AWS, Amazon is the vendor.

The SaaS System asset type in Comply represents the distinct service (EC2, S3, etc.) or instance of a service (main Slack account, support Slack account, etc.). SaaS Systems are associated with workflows like access control reviews and 2FA enrollment checks.

For more on vendor management, please find our vendor management guide and our asset management guide.

Do I need to create additional roles for my company based on the roles listed in the 'ISMS Roles and Responsibilities' Domain?

Comply ships with a baseline set of policies and procedures for you to get started. This includes an ISMS Roles and Responsibilities Domain that establishes several suggest security management roles for your compliance program:

  • Management Team
  • Security Officer
  • Security Team
  • Privacy Officer
  • Privacy Team
  • Human Resources Team
  • Service Reliability Lead
  • Service Reliability Team
  • Incident Response Lead
  • Incident Response Team
  • Engineering Team
  • Legal Team

If you don't already have these roles established in your organization, we recommend you consider doing so. Some roles might have one person assigned, while others might have many assigned to that role. Small organizations will have people wearing many hats and performing functions of multiple roles.

When you decide which roles and responsibilities are appropriate for your organization and your compliance objectives, create the Role assets in Comply. This enables you to track assignments, trigger training if needed, and delegate work to your team with tickets.

I accidentally approved a control. Can I mark it as 'draft' again?

No, in general Comply is append-only in order to support auditing. Once a control is approved, there is no way to move back to draft status. Instead, you can make changes and update the version number and/or your description when you approve the changes.

I accidentally deleted or updated a control. Can I restore to the original?

There is no way to automatically revert or restore a control. If you delete a control or want to update the language back to the original content or a previous version, you are able to copy and paste it back by using the approval history.

To access the approval history, see steps below:

  • Click on the ISMS tab
  • Select the Approval History tab on the lefthand navigation
  • Locate the last (or original version) and copy and paste the content back into your ISMS

How can I update the name or sorting order of my domains?

Domains are sorted alphanumerically when rendered in the ISMS Prose view.


Default sorting of domains (alphanumerically). Note that the numbers "4, 3, 7, 6" refer to the number of policies in that domain.

To change the ordering of domains, simply add a leading 01, 02, etc on the names of your domains by following these steps:

  • Click on the ISMS tab
  • Select the Controls Tab on the lefthand navigation
  • Click on the edit pencil next to the domain and update the name of the domain with a numeric prefix. (We recommend using a leading zero).
  • Continue updating domains for all the relevant controls. Note you will only have to create the new domain name once, after that you'll be able to select it from the list of existing domains.
  • Once you've updated all the domains, re-approve the ISMS to create a new Prose view.

Presto! Domains sorted by a numerical prefix.

What frameworks does Comply support and what frameworks do you plan to support in the future?

Aptible supports HIPAA, SOC 2, ISO 27001, HITRUST, CCPA, and GDPR.

In the future we plan to support PCI and FedRAMP, as well as other frameworks that our customers request. Please let us know your ideas here. Please note, you are always able to edit the policies in your ISMS to align with additional frameworks and requirements outside of what Aptible supports.

Why does the Aptible baseline Physical Security policy refer to the Mobile Device policy?

Many organizations rely on cloud computing and data centers like AWS to store and process their data. The physical servers and cloud vendors are covered in the Vendor Management policy, and what the organization should focus on are the physical security risks related to the mobile device (phones and laptops) that access those cloud services. For more information please on types of risks please see Risks Overview.

What are the ePHI Data Retention Requirements?

The US Department of Health and Human Services (HHS) states that the HIPAA Privacy Rule does not include medical record retention requirements. Rather, State laws generally govern how long medical records are to be retained. However, the HIPAA Privacy Rule does require that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of medical records and other protected health information (PHI) for whatever period such information is maintained by a covered entity, including through disposal. See 45 CFR 164.530(c).

Please see our HIPAA Compliance Guide for additional resources.