Security & Data Handling

Security and data integrity are foundational to Commly Professional. We use established, audited infrastructure — not custom security implementations — and apply a privacy-first architecture throughout.

• —All data in transit between your browser and our infrastructure is encrypted using TLS 1.2 or higher.
• —Connections that do not meet this standard are rejected.
• —HTTPS is enforced across all platform routes.

• —Authentication is managed by Supabase, a SOC 2 Type II certified infrastructure provider.
• —Passwords are never stored in plaintext. Industry-standard hashing is applied.
• —Sessions are managed using secure, short-lived tokens.
• —Authentication events are logged for security monitoring. No communication content is included in these logs.

• —All payment processing is handled exclusively by Stripe, a PCI DSS Level 1 certified payment processor.
• —Symos Ltd does not store, receive, transmit, or have access to payment card details at any point.
• —Stripe's security infrastructure is independently audited.

• —Text you submit for AI processing is handled in volatile memory only.
• —It is never written to disk, stored in a database, included in logs, or retained in any form.
• —Content is discarded immediately once your result is returned.
• —AI processing is performed via the Google Gemini API over encrypted channels, under API terms that prohibit training data retention.

See our full Privacy Notice for complete AI processing transparency.

• —Frontend: deployed on Netlify with global edge delivery and automatic HTTPS.
• —Backend services: Supabase with row-level security (RLS) enforced at the database layer — every data access is validated against the authenticated user's identity.
• —AI processing: Google Gemini API, accessed over encrypted connections. Volatile-memory processing only.
• —Payments: Stripe's independently audited PCI DSS Level 1 environment.

Logging is restricted to the minimum necessary for operational security and billing:

• —Authentication events (sign-in, sign-out, session expiry).
• —Billing and subscription transaction records.
• —Anonymised performance and error monitoring.
• —No communication content is ever included in operational logs.

Our data handling practices are designed to align with UK GDPR obligations including: data minimisation, purpose limitation, storage limitation, integrity and confidentiality. We act as data controller and have assessed our processing activities accordingly.

If you discover a security vulnerability in Commly Professional, please report it responsibly to admin@symos.net. We will acknowledge receipt within 48 hours and work to address confirmed issues promptly. We ask that you do not publicly disclose vulnerabilities before we have had a reasonable opportunity to investigate and respond.