How CommitControl protects customer data across hosting, access control, encryption, tenant isolation, monitoring, incident response, and GDPR-aware operations.
CommitControl is designed around least privilege, tenant isolation, operational transparency, and controlled access to customer data. Security and data protection principles are embedded into the design, deployment, and operation of the platform.
The platform is intentionally architected to minimise unnecessary access to customer information, isolate customer environments logically at the data layer, secure authentication and session management, reduce operational attack surface, maintain auditability of critical platform actions, and support GDPR-aligned data handling practices.
CommitControl operates using modern cloud infrastructure providers and managed services selected for reliability, operational security, and scalability. Production runs on Amazon Web Services in AWS Europe (Frankfurt, eu-central-1), and customer data is hosted within the European Union. Production storage volumes are encrypted at rest.
Core infrastructure components may include cloud infrastructure, secure frontend hosting, managed authentication, encrypted payment processing, secrets management, monitoring, and logging services. Customer data is logically segregated within the platform architecture.
CommitControl implements identity and access management controls designed to restrict access to authorised users only. Customer accounts are scoped to a single tenant, and administrative production access is limited to authorised personnel with operational need.
CommitControl uses encryption and secure transmission controls to protect customer information.
CommitControl is designed as a multi-tenant SaaS platform with logical tenant separation. Controls may include tenant-aware access validation, row-level security enforcement, scoped authentication tokens, tenant-bound query controls, application-layer permission checks, and isolated customer data visibility.
CommitControl is designed to prevent customers from accessing data belonging to other customers. Staff do not access customer CRM data except where required for customer-authorized support, reliability, security, or legal obligations.
CommitControl maintains operational logging and monitoring designed to support security investigations, operational troubleshooting, incident response, platform reliability, and auditability of critical actions. Logging may include authentication events, access activity, API activity, error monitoring, infrastructure telemetry, and privileged access monitoring.
Logs are retained according to operational and legal requirements.
CommitControl maintains security maintenance procedures intended to reduce known security risks. These activities may include dependency management, vulnerability scanning, security patching, configuration reviews, infrastructure hardening, secure deployment practices, and periodic security reviews.
CommitControl may engage third-party security testing providers where appropriate.
CommitControl follows secure software development practices designed to reduce operational and application-layer risk. Practices may include code review procedures, controlled deployment workflows, environment separation, secrets management, dependency review, principle of minimal exposure, and production access restrictions.
Security considerations are evaluated during development and deployment workflows.
CommitControl maintains operational backup and recovery procedures designed to support platform resilience. These measures may include encrypted backups where appropriate, periodic backup validation, recovery procedures, infrastructure redundancy where operationally feasible, and disaster recovery planning.
Recovery objectives may vary depending on infrastructure providers and service tier.
CommitControl maintains an incident response process designed to identify and contain security incidents, investigate operational impact, remediate vulnerabilities, restore affected services, and comply with applicable notification obligations.
Where required under applicable law or contractual obligations, CommitControl will notify affected customers of confirmed security incidents involving customer data.
CommitControl is designed with GDPR-aware operational controls and contractual safeguards. Depending on the context, CommitControl may act as a controller for account and business operations data and as a processor for customer CRM and uploaded business data.
CommitControl provides a Privacy Policy, a Security & Data Processing page, subprocessor transparency, and customer data deletion and export on request (email legal@commitcontrol.com; we respond within 30 days).
CommitControl continuously evaluates its operational security posture and maturity. CommitControl does not currently maintain SOC 2 or ISO 27001 certification, and does not represent that it is certified where certification has not formally been obtained.
CommitControl has implemented practical technical and organisational controls aligned with industry-standard SaaS security practices and may pursue formal certifications in the future as operational scale and customer requirements evolve.
Customers are responsible for maintaining appropriate user access controls, securing endpoint devices, managing internal CRM permissions, protecting account credentials, and configuring lawful data usage within their organisation. Security is a shared responsibility between CommitControl and the customer.
The current subprocessor list lives in our Security & Data Processing page. CommitControl uses third-party subprocessors and infrastructure providers to support operation of the Service, including hosting, authentication, billing, frontend hosting, CDN/security, secrets management, and customer-connected CRM integrations.
A more detailed security posture package is available on request for customer security reviews, procurement workflows, and enterprise onboarding. To request it, email security@commitcontrol.com or legal@commitcontrol.com.
If you believe you've found a security issue, please email security@commitcontrol.com. We aim to acknowledge reports within two business days. Machine-readable contact details are at /.well-known/security.txt.
Please give us a reasonable window to investigate and fix before any public disclosure. We won't pursue legal action against researchers who act in good faith and stay within the scope of this policy.
Security questions: security@commitcontrol.com. Data protection / GDPR: legal@commitcontrol.com.