1. Security principles
COMS is built as a SaaS environment where customer data, settings, widgets and integrations are tied to a customer account.
The product principle is to minimize unnecessary data collection, restrict access and keep critical events traceable.
2. GDPR and DPA
COMS acts as controller for its own customer and service data. For customer website widget data, COMS usually acts as processor on behalf of the customer.
A customer-specific DPA or processing terms can be attached to the agreement when the service processes customer data.
3. Account isolation
Every widget, conversation, lead, contact, booking, file and delivery channel is bound to an account id.
Database structures, RLS policies and integrity checks are used to prevent customer data from mixing across accounts.
- Account-scoped RLS policies
- Allowed widget origins
- Cross-account integrity checks
- Audit logs for critical changes
4. Roles and access
The portal separates provider owner, customer admin and regular user roles. Provider owners can manage customers centrally, while customer users can receive narrower permissions.
- Owner: COMS team management across customers
- Customer admin: settings, users and deliveries for one customer
- User: operational views such as messages, contacts and tasks
5. Encryption and traffic
Service traffic is protected with HTTPS/TLS. API, portal, documentation and widgets are deployed in environments where cache, CSP and origin restrictions can be managed per service.
6. Files and retention
Customer uploads are stored in a private bucket structure. File paths are bound to customer accounts and production checks flag unknown account paths.
Retention is based on service purpose, customer need and legal obligations.
7. Integrations
Leads can be routed to email, webhook, WhatsApp, Telegram or other agreed channels. Every delivery channel is tied to the customer account.
Third-party credentials are processed only for the purpose for which the customer enabled the integration.
8. Monitoring and production checks
COMS includes production checks for schema readiness, tenant data, CSP settings, portal assets and smoke testing.
These checks do not replace continuous operations, but they reduce the risk of missing tables, permissions, origins or customer-specific configuration.
9. Certifications and roadmap
COMS does not claim ISO 27001 certification unless such certification is separately obtained and valid. The target is to build practices that support later auditability.
Customer-specific higher security requirements, such as IP restrictions, additional encryption or stricter login policies, are handled as separate deliveries.