Skip to content
Comma Compliance Docs

Data Security & WORM Storage FAQ

What is WORM storage?

Section titled “What is WORM storage?”

WORM stands for Write Once, Read Many. It is a data storage method where information, once written, cannot be modified or deleted until the retention period expires. SEC Rule 17a-4 requires that electronic communications be stored in WORM-compliant format.

Comma stores all archived messages in WORM-compliant storage, ensuring that records cannot be tampered with, accidentally deleted, or altered after capture.

How is data encrypted?

Section titled “How is data encrypted?”

Comma uses multiple layers of encryption:

  • In transit - All data is encrypted using TLS 1.3 during transmission between devices, Comma servers, and storage
  • At rest - Archived messages are encrypted using AES-256 encryption in storage
  • Key management - Encryption keys are managed through a dedicated key management service with regular rotation

Where is data stored?

Section titled “Where is data stored?”

Comma uses SOC 2-compliant data centers. Data residency options are available for firms with geographic requirements. Contact your account representative for specific data center locations.

Who can access archived messages?

Section titled “Who can access archived messages?”

Access is controlled through role-based permissions:

  • Compliance officers - Full access to all archived messages, policies, and review queues
  • Supervisors - Access to messages from their direct reports
  • Auditors - Read-only access with export capabilities
  • Individual users - Can view their own archived messages (if enabled by admin)

All access is logged in an immutable audit trail.

Is there an audit trail?

Section titled “Is there an audit trail?”

Yes. Every action in Comma is logged, including:

  • Who accessed which messages and when
  • Search queries executed
  • Exports performed
  • Policy changes
  • User permission changes
  • Integration connections and disconnections

The audit trail itself is stored in WORM format and cannot be modified.

How are backups handled?

Section titled “How are backups handled?”
  • Continuous replication - Data is replicated across multiple availability zones in real time
  • Point-in-time recovery - Restore data to any point within the retention window
  • Disaster recovery - Full site failover with RPO (Recovery Point Objective) under 1 hour

What compliance certifications does Comma hold?

Section titled “What compliance certifications does Comma hold?”
  • SOC 2 Type II
  • SEC Rule 17a-4 compliant storage (third-party validated)
  • FINRA Rule 4511 compliant retention

Can I export my data?

Section titled “Can I export my data?”

Yes. You can export archived messages at any time through:

  • Dashboard - Search, filter, and export as CSV or PDF
  • API - Programmatic bulk export via the REST API
  • Scheduled exports - Automated recurring exports to your systems

Exports include full message content, metadata, attachments, and chain-of-custody information.