Security built for
revenue data.
Cometly handles the data your finance, sales, and marketing teams run on, Stripe revenue, CRM pipeline, and ad-platform spend. We treat it the way you do: with strict access controls, independently audited processes, and encryption at every layer.
Independently audited. Continuously monitored.
SOC 2 Type 1 and Type II are in progress. We can share our auditor's letter of attestation, DPA, sub-processor list, and security questionnaire under NDA, usually the same business day.
Independent audit of our security, availability, and confidentiality controls is underway. Auditor letter, DPA, and sub-processor list available under NDA so your security review can move forward today.
Continuous evaluation of our security controls over an extended period, following our Type 1 attestation. Reach out for our latest timeline.
EU data subject rights, lawful basis tracking, and a published Data Processing Addendum.
California consumer rights honored, including access, deletion, and opt-out signals.
We never store raw card data. All payments are processed by Stripe, a Level 1 service provider.
Working toward formal certification in 2026. Controls already mapped to the standard.
To receive copies of audit reports, our security questionnaire, or our DPA, email security@cometly.com.
Defense at every layer of the stack.
From the browser request to the row in our database, every layer of Cometly is built with security primitives that scale with your team and your traffic.
Your data, encrypted and isolated.
AES-256 at rest. TLS 1.2+ in transit. Per-workspace logical isolation, with field-level encryption for the most sensitive customer attributes.
Strong authentication, by default.
Role-based permissions on every workspace, configurable session controls, and immutable audit logs of every workspace action. Audit logs are available on request.
Resilient cloud, by design.
Hosted on AWS in SOC 2-compliant regions. Production data is segregated from staging, with multi-AZ deployments and automated backups for resiliency.
Continuous monitoring, audited annually.
24×7 monitoring, on-call rotations, and immutable audit logs. Annual penetration tests and a bug bounty program with the security community.
Encrypted, isolated, and yours alone.
Your customer data never co-mingles with another workspace. Every read and write is scoped to your tenant, and we test that boundary continuously.
- Encryption at rest
All data is encrypted at rest with AES-256, including primary databases, warehouse exports, backups, and object storage.
- Encryption in transit
All connections use TLS 1.2 or higher with HSTS preload. Older protocol versions are rejected at the edge.
- Field-level encryption
Sensitive customer attributes, emails, IPs, user identifiers, are individually encrypted with rotating keys.
- Key management
Encryption keys are managed in AWS KMS with customer-isolated key hierarchies. Keys are rotated on a regular schedule.
- Backups
Automated, encrypted database backups every 6 hours, retained for 30 days, with point-in-time recovery for resiliency.
- Tenant isolation
Every workspace is logically isolated. Queries are scoped at the application layer and audited at the database layer.
Right access. Right people. Right log.
Identity and access are the foundation of trust. Cometly gives your IT and security teams the controls they expect, and the audit trail they need.
Owner, Admin, Editor, and Viewer roles. Restrict access to billing, integrations, and sensitive workspaces.
Configurable session length and inactivity timeouts. Forced re-authentication for sensitive actions.
Immutable logs of every workspace action, logins, integration changes, data exports, and role updates. Log exports are available on request.
Scoped, revocable API keys with read/write permissions, rate limits, and usage analytics in the dashboard.
Built on infrastructure your security team already trusts.
We run on AWS in independently audited regions, and we operate the platform with the same on-call rigor as the rest of your tier-1 vendors.
Production runs in AWS regions independently audited under SOC 2, ISO 27001, and PCI DSS, with multi-AZ deployments for high availability.
All traffic flows through a hardened edge with rate limiting, WAF rules, and managed DDoS mitigation.
Production data is fully isolated from staging and development. Engineers cannot pull production data into other environments.
Continuous dependency scanning, daily container image scans, and weekly host-level vulnerability reports tracked to remediation.
Annual third-party penetration tests of the application, infrastructure, and integration boundaries. Reports available on request.
RPO of 6 hours, RTO of 4 hours. Backup restoration and disaster recovery runbooks are tested quarterly with full tabletop exercises.
Privacy is a control surface, not a checkbox.
Cometly is built so the privacy promises you make to your customers stay enforceable end-to-end. From signed DPAs to in-product deletion tools, the controls are first-class.
Pre-signed DPA with Standard Contractual Clauses, available without negotiation for every customer.
Built-in tools to honor access, rectification, deletion, and export requests across every connected data source.
Public sub-processor list, with 30-day advance notice of any additions or material changes.
US data stays in US regions. EU data residency is available for Enterprise customers requiring it.
Configurable retention windows for raw events, with automatic anonymization after the configured period.
You own your data. Export anytime, and we'll permanently delete on request, typically within 30 days.
Security is everyone's job, not a department.
The strongest controls are the ones a team actually lives. Our policies, training, and reviews are built to keep security at the top of mind for every Cometly engineer.
Anomaly detection on every critical service. On-call engineers respond within minutes, not hours.
Every Cometly employee completes security and privacy training annually. Engineers complete additional secure-coding training.
Pre-employment background checks where legally permitted. All employees sign confidentiality agreements before access.
Production access is gated, time-bound, and logged. Reviews happen quarterly and on every role change.
Every sub-processor goes through a security review before adoption, and is reviewed annually.
Documented IR runbooks with defined severity levels. Customers are notified without undue delay for incidents that affect them.
Found something? We want to hear from you.
We work with the security research community and welcome reports of potential vulnerabilities. Reports made in good faith, with no impact on customer data, won't be subject to legal action.
- We confirm receipt within 1 business day.
- We triage and respond with severity and next steps within 5 business days.
- We keep you informed as the fix progresses through review and deploy.
- Eligible reports may receive a bounty through our private program.
The questions security teams ask us.
Need something not covered here? Our security team usually returns full questionnaires within one business day.
Email securityWhere is Cometly on SOC 2?
Both SOC 2 Type 1 and SOC 2 Type II are in progress. We can share a letter of attestation from our auditor under NDA, along with our DPA, sub-processor list, and Privacy Policy, so your security team can start their review and procurement can move forward today. Email security@cometly.com to request the packet.
Do you offer a Data Processing Addendum (DPA)?
Yes. We have a pre-signed DPA with EU Standard Contractual Clauses available to every customer, no negotiation required. Enterprise customers can request a counter-signed version.
Where is my data stored?
Data is stored in AWS US regions by default. EU data residency is available for Enterprise customers, contact sales to scope. All regions are SOC 2 and ISO 27001 certified.
How is my data encrypted?
All data is encrypted in transit with TLS 1.2 or higher and at rest with AES-256. Sensitive customer attributes are additionally protected with field-level encryption using rotating keys managed in AWS KMS.
Do you support SSO and SAML?
Not yet — SSO and SAML are on our roadmap. Today, every workspace ships with role-based access control, configurable session controls, and immutable audit logs. Log exports are available on request. Email security@cometly.com to discuss your IdP requirements.
Are you GDPR and CCPA compliant?
Yes. Cometly supports the data subject rights required under GDPR and CCPA, honors universal opt-out signals, and provides in-product tooling for access, deletion, and export requests.
Do you have an uptime SLA?
Enterprise customers get a 99.9% uptime SLA with service credits. Real-time and historical uptime is published on our status page.
How do you handle security incidents?
We follow a documented incident response plan with defined severity levels and escalation paths. Customers affected by an incident are notified without undue delay, with details and remediation steps.
Do you conduct penetration tests?
Yes. Independent third-party penetration tests are conducted annually against the application, infrastructure, and integration boundaries. Summary letters are available to customers under NDA.
Where can I report a security issue?
Email security@cometly.com or use our PGP key for sensitive reports. We confirm receipt within one business day and respond with severity and next steps within five.
Need to pass security review?
We'll send our auditor's letter of attestation, DPA, and security questionnaire in one bundle, usually the same business day.