Ir al contenido
Comma Compliance Docs

Compliance and Attestations

Esta página aún no está disponible en tu idioma.

SOC 2 Type 2

Section titled “SOC 2 Type 2”

Comma has engaged a CPA firm to perform a SOC 2 Type 2 examination under AICPA AT-C Section 205. The examination is in progress and covers the Security, Availability, and Confidentiality Trust Services Criteria over a 6-month audit window.

A signed SOC 2 Status Letter confirming the engagement and current state is available under mutual NDA. Following issuance of the Type 2 report, we provide post-issuance bridge letters on the standard cadence at customer request.

SEC Rule 17a-4 (Books and Records)

Section titled “SEC Rule 17a-4 (Books and Records)”

The Comma platform is designed to support customer compliance with SEC Rule 17a-4(f), the WORM-compliant electronic recordkeeping requirement applicable to broker-dealers.

  • WORM storage: All archived content is written to AWS S3 with Object Lock enabled in Compliance mode. Versioning is enabled. Public access is blocked.
  • Application separation: The Rails application never writes directly to archival storage. Archive writes are mediated by a dedicated sink connector whose IAM role is scoped to s3:PutObject only; delete and retention-change operations are explicitly denied by policy.
  • Immutability: Once written, archived content cannot be altered or deleted by any user role, including Comma personnel, for the duration of the retention period.
  • Third-party recordkeeper undertaking: A signed undertaking is on file and available to customers on request.

FINRA Rule 4511

Section titled “FINRA Rule 4511”

The retention surface is immutable and indefinite by default, configurable per customer regulatory requirement. Combined with the supervisor-designation and supervisory-review workflows in the Comma dashboard, this supports customer compliance with FINRA’s books-and-records obligations.

MiFID II and FCA SYSC 10A

Section titled “MiFID II and FCA SYSC 10A”

The platform captures communications across in-scope channels (WhatsApp, Signal, iMessage, Telegram, voice via integration partners, etc.) and writes them to immutable storage with retention configurable to meet the longest applicable regulatory window. Customers determine which personnel and channels are in scope.

GDPR

Section titled “GDPR”
  • Data Processing Agreement (DPA): Available, consistent with GDPR Article 28.
  • Per-tenant data segregation: Enforced at the application layer.
  • EU residency: Available on enterprise request, requiring a dedicated environment in Azure EU and AWS EU regions.
  • Data subject rights: Comma supports customer-initiated export. Deletion requests are subject to the underlying regulatory retention obligation - archived content under a books-and-records retention hold cannot be deleted on customer request alone.
  • EU DPO contact: Available on request.

HIPAA

Section titled “HIPAA”

Comma is available for healthcare customers under a Business Associate Agreement (BAA). The BAA must be executed before storing PHI in the platform. Customer-specific configuration may be required to meet specific HIPAA Security Rule provisions.

Google CASA (Workspace Marketplace OAuth)

Section titled “Google CASA (Workspace Marketplace OAuth)”

Comma undergoes an annual assessment under the Google CASA program (Cloud Application Security Assessment) - Google’s required security assessment for apps published on the Workspace Marketplace. CASA covers OAuth integration security and a defined set of application security controls. The assessment is performed by an Authorized Lab. Most recent authorized assessment: March 31, 2025. The 2026 cycle was submitted in April 2026 and is currently in review.

What we do not currently have

Section titled “What we do not currently have”

For transparency, the following are not in our current posture:

  • ISO 27001 certification - on our 2027 roadmap. We may add this if customer demand justifies it before then.
  • PCI DSS - not applicable. Comma does not process, store, or transmit cardholder data.
  • FedRAMP - not currently authorized. We do not currently sell to U.S. Federal agencies.

If your procurement process requires a posture we don’t currently hold, please contact us - we are happy to discuss roadmap and timing.

Document requests

Section titled “Document requests”

Available under mutual NDA:

  • NDA edition of the Trust Whitepaper
  • SOC 2 Status Letter (in-flight examination)
  • SEC 17a-4 third-party recordkeeper undertaking
  • Subprocessor register with named providers
  • Standard DPA, BAA

Contact: Zeeshan Gulzar, CTO/CISO - zeeshan@commacompliance.com