Commona

Security

A platform that respects what's at stake.

Commona carries civic information — about people, places and authorities. We hold that responsibility seriously, and we explain exactly how.

Our commitments

  • All traffic is encrypted in transit using TLS 1.2+ with modern cipher suites.
  • Sensitive fields are encrypted at rest with managed keys, rotated on a fixed schedule.
  • Production access is limited to a named on-call rotation, with every action logged.
  • We follow the principle of least privilege across the platform — including for ourselves.
  • We disclose material security incidents to affected users within 72 hours.

Data protection

Account credentials are hashed with Argon2id. Personal identifiers (phone, ID scans) are encrypted at rest and never exposed in public profiles. Geolocation precision is bounded by the privacy setting you choose; precise coordinates are never shown on public pages.

Database backups are encrypted, geographically distributed, and tested for restore on a regular cadence.

Access controls

  • Role-based access enforced at the database row level for every Circle.
  • Multi-factor authentication available for every account and required for stewards, NGOs and authorities.
  • Session tokens are short-lived and rotated automatically.
  • Admin tooling sits behind separate auth, hardware key requirement, and an immutable audit log.

Responsible vulnerability disclosure

If you believe you've found a security vulnerability in Commona, please report it privately. We do not pursue legal action against good-faith security researchers who follow this policy.

  • Email security@commona.app with a clear description and reproduction steps.
  • Give us a reasonable window to respond before public disclosure (we target 90 days, less for critical issues).
  • Do not access more data than necessary to demonstrate the issue. Never modify or delete user data.
  • We credit researchers who request it, in a public security acknowledgments page.

Lawful requests for user data

We require valid legal process to disclose user data. We notify affected users unless legally prohibited from doing so, push back on overbroad requests, and publish an annual transparency report covering requests received, complied with, and rejected.