Security at Simple Commenter

Simple Commenter is operated by Ander Digital OÜ, an Estonian company. We built this product inside regulated, brand-sensitive environments, so security is not an afterthought. This page summarizes how we protect your data and links to the documents you can share with your own security and procurement teams.

Security highlights

• EU data residency. Customer data is stored in the EU. Our database runs on MongoDB Atlas (EU region) and our object storage and logs are hosted in Nuremberg, Germany.
• Encryption everywhere. AES-256 encryption at rest, TLS 1.2 or higher for all data in transit, and bcrypt password hashing.
• Least-privilege access. Individual accounts, MFA on every cloud provider, and quarterly access reviews. Access for departed personnel is revoked within 24 hours.
• GDPR and DPAs. We act as a data processor, maintain Data Processing Agreements with our sub-processors, and delete customer data on request.
• Logging and monitoring. Centralized logging with 365-day retention, stored in the EU.
• Application security. Input sanitization, scoped integration tokens, signed payment webhooks, and dependency scanning via npm audit and GitHub Dependabot.

Security documents

Read these directly:

• Information Security Policy
• Sub-processor List

Available on request under NDA:

• Incident Response Plan
• Business Continuity Plan

To request these, email aleksander@simplecommenter.ee.

Enterprise

Need SSO and SAML, a signed DPA, whitelisting, or a full security review? Our Enterprise plan covers it, with a dedicated account manager and an SLA. Talk to us about Enterprise.