Security & Trust

It’s payroll data.
We treat it that way.

Commission numbers are people’s paychecks. Here’s how we protect them — in plain language, claiming only what we actually do, with the specifics your security team will ask about anyway.

Rows of servers in a dimly lit data center corridor

What We Actually Do

Six things that are true.

Every dollar has a receipt

Every payout traces to the source deal, the rate, and the rule that produced it — through every calculation step. Each pay run snapshots the exact rules in force, so “what was active when this rep got paid?” always has a precise answer. That's not a reporting feature; it's the architecture.

Access follows roles, strictly

Reps see their own earnings and nothing else — enforced by row-level security in the database itself, not just hidden in the interface. Admin, manager, and payroll roles gate every sensitive action, and joining an org requires an invitation approved by your admin.

MFA you can enforce

Any org can require two-factor authentication for its admins and managers — flip it on and they can't touch admin screens or admin APIs until they've enrolled. The last factor can't be quietly removed while the requirement is active.

Encrypted, in transit and at rest

TLS on every connection, AES-256 encryption at rest, and integration credentials (like CRM OAuth tokens) additionally encrypted before they're stored. Session-replay diagnostics mask all text and input by default — we can debug without reading your numbers.

Your data has an address

Today Commish runs end-to-end in Canada — application compute and database both in Canadian regions. Enterprise plans can choose their data residency. Either way, you know where your payroll data lives, and it isn't “wherever.”

AI that doesn't leak

AI features (like describing a comp plan in plain English) run server-side on Commish's own API key, and per our provider's API terms your data isn't used to train models. AI features are conveniences on top of the engine; the math never depends on them.

Under The Hood

The specifics, since you’ll ask anyway.

Infrastructure

  • Application hosting on Vercel, with compute pinned to Montréal, Canada (yul1) — pinned in code, so a dashboard change can't silently move it.
  • Postgres database and authentication on Supabase in Canada (Central), with row-level security policies enforcing org and role boundaries inside the database.
  • TLS for every connection in transit; AES-256 encryption at rest; automated backups.
  • Multi-tenant isolation by design: every record carries its organization, and database policy — not application code alone — keeps tenants apart.

Practices

  • Every code change passes automated security gates before it ships, including secret scanning on every commit.
  • Authentication endpoints are rate-limited; user input is sanitized; payroll CSV exports are hardened against formula injection.
  • CRM integrations use cryptographically-signed OAuth state, and tokens are encrypted before storage.
  • Recurring internal security audit cycles through 2026, with findings tracked to closure and verified on the production system — not just marked done in a ticket.

No Mystery Middlemen

Who touches your data.

Four vendors, each with one job. That’s the whole list of services that process customer data.

VendorWhat they do for usWhere / how
VercelApplication hostingMontréal, Canada (yul1)
SupabaseDatabase & authenticationCanada (Central)
AnthropicAI features only, via APIUS — not used to train models
SentryError monitoringText & inputs masked by default

As of July 2026. If this list changes, existing customers hear about it from us first — not from a diff of this page.

No Pitch, Just Answers

Questions we actually get.

Can reps see each other's pay?

No. A rep's session can only read their own earnings — the restriction is a database policy, so even an application bug can't hand one rep another rep's statement.

Who can change a comp rule, and would we know?

Only admins and managers can change rules, and every pay run snapshots the rules it used. If a rule changes between runs, the before and after are both on record — attached to the runs they governed.

Can we get our data out?

Yes. Your deals, runs, and statements are exportable, and if you leave we'll delete your data on request. It's your payroll history, not our hostage.

Do AI features see our data? Is it used for training?

AI features process your data server-side through Commish's own API key, and per our provider's API terms it isn't used to train models. The calculation engine itself never depends on AI — the math is deterministic and auditable.

Will you complete our security questionnaire?

Yes, completely and quickly. Send it to ricki@getcommish.com. We'd rather spend an afternoon on your questionnaire than have you guess.

Brass locking wheel of a bank vault door

No Badge Wall

We don’t have a SOC 2 badge yet. We’d rather tell you that than imply otherwise.

We’re an early company, and formal certification is on the road, not on the wall. What we have today is everything above, running in production — plus the audit habit that keeps it true. If your process needs a security questionnaire filled out, send it — we’ll answer it completely and quickly. And if you find something we should fix, tell us — we take that seriously.

Get Started

Questions your security
team wants answered?

Bring the team — we’ll walk through all of it on a call.