Security & trust.

Comodly handles sensitive community data. We take security seriously at every layer — from our code to our infrastructure to our team practices.

GDPR compliant

Role-based access control

JWT auth with refresh rotation

DPA available on request

Responsible disclosure policy

How we protect your data

Built secure from day one.

Data encryption

All data in transit is encrypted with TLS. WhatsApp session credentials are stored encrypted per-account and never shared or used outside of operating your moderation.

Infrastructure isolation

Each user's moderation data is isolated at the database level. Your data is never mixed with other users' data and is only accessible by you.

Short-lived message data

Incoming messages are stored temporarily to evaluate your moderation rules and are automatically purged after 72 hours. Moderation actions and warnings are retained for audit purposes. You can request deletion of any data at any time.

Access controls

Role-based access control (RBAC) limits who can do what within your account. All admin actions are logged in a tamper-evident audit trail.

Incident response

We maintain a documented incident response plan. In the event of a data breach, affected users are notified within 72 hours, as required under GDPR.

Penetration testing

Security vulnerabilities can be responsibly disclosed to our team. We review every report, aim to respond within 24 hours, and resolve critical issues promptly.

Email verification

All email addresses are verified via a one-time passcode (OTP) before they can be used for account features such as login, notifications, or recovery.

AI/ML security

AI processing is fully isolated. Spam detection runs on dedicated infrastructure with no access to other services. OpenAI integration uses API-only access with no data retention enabled.

Engineering

Security baked into how we work.

Secure development lifecycle

All code changes go through peer review. Dependencies are scanned for known vulnerabilities using automated tooling on every commit.

Secrets management

No secrets in code. All credentials and API keys are managed through environment variables and kept out of source control.

Dependency scanning

Application dependencies are regularly reviewed for known vulnerabilities and kept up to date.

Backups

Regular database backups ensure your moderation data and configuration can be restored in the event of an incident.

Logging & monitoring

All application events are logged. Security-relevant events trigger real-time alerts to our on-call team.

Responsible disclosure

Found a security vulnerability? We appreciate responsible disclosure and will work with you to verify and fix the issue promptly. We do not take legal action against researchers acting in good faith.

Please report security issues to security@comodly.com. We aim to respond within 24 hours and resolve critical issues within 7 days.

Acknowledge receipt within 24hRegular progress updatesCredit in our security hall of fame