Data Security & WORM Storage FAQ
What is WORM storage?
Section titled “What is WORM storage?”WORM stands for Write Once, Read Many. It is a data storage method where information, once written, cannot be modified or deleted until the retention period expires. SEC Rule 17a-4 requires that electronic communications be stored in WORM-compliant format.
Comma stores all archived messages in WORM-compliant storage, ensuring that records cannot be tampered with, accidentally deleted, or altered after capture.
How is data encrypted?
Section titled “How is data encrypted?”Comma uses multiple layers of encryption:
- In transit - All data is encrypted using TLS 1.3 during transmission between devices, Comma servers, and storage
- At rest - Archived messages are encrypted using AES-256 encryption in storage
- Key management - Encryption keys are managed through a dedicated key management service with regular rotation
Where is data stored?
Section titled “Where is data stored?”Comma uses SOC 2-compliant data centers. Data residency options are available for firms with geographic requirements. Contact your account representative for specific data center locations.
Who can access archived messages?
Section titled “Who can access archived messages?”Access is controlled through role-based permissions:
- Compliance officers - Full access to all archived messages, policies, and review queues
- Supervisors - Access to messages from their direct reports
- Auditors - Read-only access with export capabilities
- Individual users - Can view their own archived messages (if enabled by admin)
All access is logged in an immutable audit trail.
Is there an audit trail?
Section titled “Is there an audit trail?”Yes. Every action in Comma is logged, including:
- Who accessed which messages and when
- Search queries executed
- Exports performed
- Policy changes
- User permission changes
- Integration connections and disconnections
The audit trail itself is stored in WORM format and cannot be modified.
How are backups handled?
Section titled “How are backups handled?”- Continuous replication - Data is replicated across multiple availability zones in real time
- Point-in-time recovery - Restore data to any point within the retention window
- Disaster recovery - Full site failover with RPO (Recovery Point Objective) under 1 hour
What compliance certifications does Comma hold?
Section titled “What compliance certifications does Comma hold?”- SOC 2 Type II
- SEC Rule 17a-4 compliant storage (third-party validated)
- FINRA Rule 4511 compliant retention
Can I use my own encryption key?
Section titled “Can I use my own encryption key?”Yes. By default Comma manages encryption keys via Azure, but you can supply your own key through BYOK. Contact your account team to enable it, then provide your vault key reference in the Configuration Center. You’ll need to verify your identity when making the switch, and your team is responsible for rotating the key going forward.
Can I export my data?
Section titled “Can I export my data?”Yes. You can export archived messages at any time through:
- Dashboard - Search, filter, and export as CSV or PDF
- API - Programmatic bulk export via the REST API
- Scheduled exports - Automated recurring exports to your systems
Exports include full message content, metadata, attachments, and chain-of-custody information.
Can I forward archived messages to my existing compliance system?
Section titled “Can I forward archived messages to my existing compliance system?”Yes. Comma supports forwarding archived messages to your existing compliance system, including self-hosted archives. Contact your account team to configure a forwarding destination.
Comma’s data security guarantees apply only to data stored within Comma’s infrastructure. Once messages are forwarded to a third-party system, the security, retention, and compliance obligations for that data are governed by your agreement with that provider. Customers are responsible for ensuring their downstream systems meet applicable regulatory requirements.