Security

How Comet keeps your data safe and secure.

At Comet, security is a foundational principle embedded throughout our organization. We take a comprehensive approach to protecting your data across our people, processes, and technology.

Secure Personnel

We believe that security starts with our people. Comet implements the following personnel security measures:

  • Background Checks: All employees undergo background checks prior to joining Comet, in accordance with local laws and regulations.
  • Non-Disclosure Agreements: Every employee and contractor is required to sign a non-disclosure agreement (NDA) before gaining access to any company systems or data.
  • Security Training: All team members complete security awareness training during onboarding and on a regular ongoing basis. Training covers topics such as phishing, social engineering, data handling, and incident reporting.

Secure Development

Comet follows a Secure Development Lifecycle (SDL) to ensure that security is integrated into every phase of product development:

  • Security by Design: Security and privacy considerations are incorporated from the earliest design phases of all new features and systems. Design reviews include threat modeling and risk assessment.
  • Secure Coding Training: All developers complete annual secure coding training covering the OWASP Top 10 and other common vulnerability classes.
  • Code Review: All code changes undergo mandatory peer review before being merged. Reviews include checks for security vulnerabilities, proper input validation, and secure data handling.
  • Dependency Management: We continuously monitor third-party dependencies for known vulnerabilities and apply patches promptly.

Secure Testing

We employ multiple layers of security testing to identify and remediate vulnerabilities:

  • Third-Party Penetration Testing: Comet engages independent, accredited third-party security firms to perform penetration testing on a regular basis. Findings are remediated according to severity and re-tested to confirm resolution.
  • Vulnerability Scanning: Automated vulnerability scanning is performed continuously across our infrastructure and applications.
  • Static Application Security Testing (SAST): We use SAST tools integrated into our CI/CD pipeline to detect security issues in source code before deployment.
  • Dynamic Application Security Testing (DAST): DAST tools are used to test running applications for vulnerabilities that may not be detectable through static analysis.

Cloud Security

Comet's cloud infrastructure is designed with defense in depth to protect customer data:

  • Customer Isolation: Customer data is logically isolated to prevent unauthorized cross-tenant access.
  • Encryption at Rest: All customer data is encrypted at rest using industry-standard encryption algorithms with unique encryption keys per customer.
  • Encryption in Transit: All data transmitted between clients and our services is encrypted using TLS 1.2 or higher.
  • SOC 2 Compliance: Our infrastructure providers maintain SOC 2 Type II certifications, and Comet's own controls are designed to meet SOC 2 requirements.
  • Role-Based Access Control (RBAC): Access to production systems and customer data is governed by the principle of least privilege. Access is reviewed regularly and revoked promptly upon role change or departure.

Compliance

Comet is committed to meeting and exceeding industry compliance standards:

  • We pursue external certifications and undergo independent audits to validate our security posture.
  • Our security program is aligned with recognized frameworks and best practices, including SOC 2 and GDPR.
  • We continuously monitor the regulatory landscape to ensure ongoing compliance as requirements evolve.

If you have any security concerns or wish to report a vulnerability, please contact us at security@comet.rocks.