Trust and Security at Comma
Comma Compliance is the modern communications ingestion layer for regulated organizations. Our customers - broker-dealers, registered investment advisers, multinational enterprises, and other firms subject to SEC, FINRA, MiFID II, and FCA recordkeeping - trust us to capture, archive, and supervise communications that they are legally required to retain.
This page summarizes how we protect that data. For a deeper review, request the Trust Whitepaper (NDA edition available) or contact us to schedule a security review session.
What we commit to
Section titled “What we commit to”| Uptime target | 99.9% |
| Recovery Point Objective (RPO) | 15 minutes |
| Recovery Time Objective (RTO) | under 4 hours |
| Encryption at rest | AES-256 (FIPS 140-2 compliant) for all customer data stores |
| Encryption in transit | TLS 1.2+ for all customer-facing endpoints |
| Default retention | 7 years, immutable; configurable per customer regulatory requirement |
| Customer notification of incident | within 72 hours of confirmation |
Active compliance posture
Section titled “Active compliance posture”- SOC 2 Type 2 examination in progress under AICPA AT-C Section 205. Scope: Security, Availability, Confidentiality.
- SEC Rule 17a-4 - third-party recordkeeper undertaking on file. WORM archival storage via S3 Object Lock (Compliance mode).
- FINRA Rule 4511 - indefinite immutable retention surface.
- MiFID II and FCA SYSC 10A - communications capture across in-scope channels.
- GDPR - DPA available; EU residency on enterprise request.
- HIPAA - BAA available on request.
- Google CASA - annual third-party assessment by an Authorized Lab (most recent authorized assessment: March 31, 2025).
Architectural posture
Section titled “Architectural posture”- Two-region US deployment on Microsoft Azure with zone-redundant high-availability PostgreSQL and geo-redundant backups
- WORM archival via AWS S3 Object Lock in Compliance mode - archived content cannot be altered or deleted for the duration of the retention period
- Per-tenant data segregation enforced at the application layer
- Application secrets isolated in a centralized secret store, accessed via short-lived managed identities; no plaintext secrets in application configuration, deployment history, or CI logs
- Continuous infrastructure monitoring with severity-graded alerting and defined escalation paths to engineering on-call
How to request documents
Section titled “How to request documents”For prospects and customers under mutual NDA, we can share:
- The NDA edition of the Trust Whitepaper (full architectural detail including named subprocessors and implementation specifics)
- The SOC 2 Status Letter confirming the in-flight examination
- The third-party recordkeeper undertaking for SEC Rule 17a-4
- The subprocessor register including named providers
- Our standard Data Processing Agreement (DPA) and Business Associate Agreement (BAA) on request
Contact:
- For security-related inquiries: Zeeshan Gulzar, CTO/CISO - zeeshan@commacompliance.com
- For procurement and contracts: Jeremiah Church, CEO - jeremiah@commacompliance.com
Subprocessor categories
Section titled “Subprocessor categories”Comma relies on the following categories of subprocessors. All have current Data Processing Agreements or equivalent contractual protections.
| Category | Function |
|---|---|
| Primary cloud provider | Application hosting, database, secret store, cache, log analytics |
| Object storage provider | WORM archival storage and key management |
| Egress proxy provider | Outbound capture routing for web-based channels |
| MDM provider | macOS endpoint management for capture and admin endpoints |
| Zero-trust overlay provider | Administrative network access |
| Error tracking provider | Application error capture (PII redacted at the application layer) |
| Background check provider | Pre-employment screening |
| Source code provider | Source control and CI/CD |
A named subprocessor list is available under NDA.
What you (the customer) are responsible for
Section titled “What you (the customer) are responsible for”Per the Trust Services Criteria, certain controls are the customer’s responsibility:
- Provisioning, reviewing, and revoking dashboard user accounts. Enforcing MFA at your identity provider for users who SSO into Comma.
- Configuring and maintaining communication connectors for your users.
- Designating supervisors and conducting supervisory review at the cadence required by your regulatory regime.
- Notifying Comma promptly of personnel changes that require access revocation.
- Configuring retention periods and personal-contact policy to match your books-and-records obligations.
- Determining which channels and contacts fall in-scope for capture per your compliance posture.
This page summarizes our security posture. Where the underlying contractual documents (MSA, DPA, BAA) differ from this summary, those documents govern.