Security

Last Updated: May 30, 2025

Version 1.1

1. Introduction

At CommsOK, Inc., security is fundamental to our email analytics platform. We implement comprehensive security measures to protect your data and maintain the integrity of our services. This page outlines our security practices, infrastructure safeguards, and commitment to protecting your information.

Important Note: CommsOK provides email list analytics only and does not transmit email on behalf of users. Our security measures are designed specifically for data analytics and processing operations.

2. Compliance & Transparency

2.1 Regulatory Landscape

CommsOK, Inc. is a U.S.-based B2B SaaS platform targeting U.S. businesses. We do not primarily target EU, California, or child data subjects and therefore do not believe we currently meet the applicability thresholds. If we begin processing covered personal data, we will comply with all relevant obligations.

2.2 Security Certifications

We are not currently certified under formal security frameworks such as SOC 2 Type II, ISO 27001, or FedRAMP. We conduct annual penetration testing, though this is not a substitute for a SOC 2 audit.

2.3 Transparency & Roadmap

We are transparent about our current status and voluntarily implement security best practices that align with industry standards. We continuously evaluate our compliance posture as our business grows.

3. Infrastructure Security

3.1 Cloud Infrastructure

• Google Cloud Platform (GCP): All data is processed and stored in GCP data centers located in the United States
• Regional Deployment: Primary operations in us-west2 (Los Angeles) region for optimal performance and data residency
• Shared Responsibility Model: We leverage GCP's enterprise-grade security infrastructure while maintaining responsibility for application-level security

3.2 Network Security

• Virtual Private Cloud (VPC): Isolated network environment with controlled access
• Firewalls: Network-level security controls and traffic filtering
• DDoS Protection: Built-in protection against distributed denial-of-service attacks
• Intrusion Detection: Monitoring for suspicious network activity

4. Data Protection

4.1 Encryption

• Encryption in Transit: TLS 1.3 wherever supported (TLS 1.2 fallback)
• Encryption at Rest: AES-256 encryption for all stored data including databases and backups
• Key Management: Keys are generated, stored, and automatically rotated via GCP KMS

4.2 Data Handling

• Data Minimization: We collect and process only the data necessary for our analytics services
• Purpose Limitation: Data is used solely for providing email analytics insights
• Secure Deletion: Secure data deletion procedures when retention periods expire
• Backup Security: Encrypted backups with controlled access and retention policies

5. Access Controls

5.1 Authentication & Authorization

• Multi-Factor Authentication (MFA): Required for all administrative access
• Role-Based Access Control (RBAC): Principle of least privilege for system access
• Identity Management: Centralized user authentication via Clerk
• Session Management: Secure session handling with automatic timeouts

5.2 Administrative Controls

• Employee Access: Limited to authorized personnel with business need
• Audit Logging: Comprehensive logging of all administrative actions
• Regular Access Reviews: Periodic review and validation of access permissions

6. Security Monitoring

6.1 Continuous Monitoring

• Security Information and Event Management (SIEM): Real-time monitoring and alerting
• Vulnerability Scanning: Regular automated security scans (continuous with daily delta scans)
• Log Analysis: Centralized logging and analysis for security events
• Performance Monitoring: System health and availability monitoring

6.2 Security Assessments

• Penetration Testing: Annual third-party security assessments
• Code Reviews: Security-focused code review processes
• Dependency Scanning: Regular scanning for vulnerable dependencies (continuous with daily delta scans)

7. Incident Response

7.1 Incident Management

• Response Plan: Formal incident response procedures and escalation paths
• Notification Timeline: We will notify affected customers without undue delay, and within 72 hours where legally required
• Forensic Capabilities: Incident investigation and root cause analysis
• Recovery Procedures: Business continuity and disaster recovery plans

7.2 Communication

In the event of a security incident that may affect customer data, we will:

• Notify affected customers promptly via email and platform notifications
• Provide regular updates throughout the incident response process
• Status updates will also be posted on our public status page
• Share post-incident reports with lessons learned and preventive measures

8. Organizational Security

8.1 Personnel Security

• Background Checks: Appropriate screening for personnel with data access
• Security Training: Regular security awareness training for all employees
• Confidentiality Agreements: All personnel bound by confidentiality obligations

8.2 Vendor Management

We carefully evaluate and monitor our service providers. Current sub-processors include:

• Google Cloud Platform: Cloud infrastructure and data storage
• Vercel: Application hosting and content delivery
• Clerk: User authentication and identity management
• Stripe: Payment processing and billing

A complete list is available on our Sub-Processors page.

9. Contact Information

9.1 Security Inquiries

For security-related questions or to report security vulnerabilities:
Email: security@commsok.com

9.2 Privacy and Legal

For privacy or legal inquiries:
Privacy: privacy@commsok.com
Legal: legal@commsok.com