InCommon Security



At InCommon, we are committed to ensuring the security and protection of our customers' confidential data. We understand that maintaining customer trust and confidence is of the utmost importance and take information security very seriously. Our security efforts encompass all aspects of our operations, including application development, system configurations, hosting services, and personnel security. We have implemented a variety of security features to safeguard our customers' data and ensure its confidentiality, integrity, and availability. We are dedicated to creating a secure and trustworthy environment for our customers and their information. 


Organization People and Process

  1. Background checks for all employees: We conduct background checks for all our employees to ensure that the company is not hiring individuals with a history of data breaches or other security-related incidents. Background checks are conducted by Checkr, a well known and trusted background check company. 

  1. Regular security training: We perform security training which helps to ensure that employees are aware of the latest security threats and know how to protect customer data. 

  1. Incident response plan: We have a plan in place to quickly and effectively respond to security breaches. 

  1. Regular security audits: We have audits with our code releases to identify and fix any vulnerabilities in the company's systems. 

  1. Access controls: Only authorized employees have access to customer data. 


Product Security

Authentication is via email and password. Upon signing up for an account, we require users to enter a complex password. Supabase is our authentication management system. All passwords are encrypted and Supabase is SOC2 Type 2 compliant and has a strong Data Processing Agreement for privacy. 

Customer data can only be accessed with authenticated accounts with the correct role access determined by the organization attached to the user profile and an organization-s own role settings per user as No Access, User, Manager, and Admin. 


Data Security and Availability

Customer data is hosted on Supabase, a SOC2 Type 2 compliant organization. Production data is never copied to development and is queried from a distinctly different API URL with different security keys - Production data is not ever mixed with other environment data. 

Customer data is transmitted via TLS encryption to InCommon cloud server functions before being sent to an InCommon client website via HTTPS/TLS 1.3 encryption. 


InCommon Infrastructure

InCommon is hosted on Vercel, a SOC2 Type 2 compliant organization. Vercel is also GDPR compliant, has advanced access controls, and a model to help prevent unreliability due to DDoS. 


Privacy Reporting 

In the event of privacy violations or concerns, please email to formally file a complaint. We will work to address the issue as quickly and as securely as possible.