Security at KOMUNITI
Security at the infrastructure layer, not a marketing word. Every claim on this page maps to a shipped migration or a line in our source you can read for yourself.
How we protect your data
Multiple layers of security work together to keep your community information safe and private.
End-to-End Encryption
All data is encrypted at rest with AES-256 and in transit with TLS 1.3. Database backups are encrypted and stored in geographically redundant locations.
Row-Level Security
Every database query is scoped to the authenticated user and their community. Residents can only access their own data, while admins see only their managed properties.
Multi-Factor Authentication
Protect accounts with TOTP-based multi-factor authentication. Administrators can enforce MFA for all users within their community.
CAPTCHA & Bot Protection
Login, signup, and public forms are protected by CAPTCHA to prevent automated abuse. Suspicious activity triggers additional verification steps.
Rate Limiting & Throttling
API endpoints are protected by intelligent rate limiting to prevent brute-force attacks and abuse. Graduated response policies automatically escalate protections.
Audit Logging
Every significant action is recorded in immutable audit logs. Track who accessed, modified, or deleted data with timestamps and IP addresses.
Compliance & governance
We hold ourselves to the highest standards of data governance and regulatory compliance.
Tamper-evident audit chain
Every privileged action (MFA enrollment, payment recording, election OTP issuance, community provisioning) is hash-linked into the soc2_audit_trail table (Migration 040). The chain is verifiable by any auditor with read-only access — we use the internal SOC 2 control framework as the implementation reference today, not as a claim of Type II attestation we have not yet completed.
Philippine Data Privacy Act (RA 10173)
Community data is hosted on Supabase infrastructure (AWS ap-northeast-1, Tokyo region). DPO designation, Data Subject Request workflow, and 72-hour breach notification are all first-class admin surfaces at /compliance.
Defense in depth
Server-only service-role keys (never exposed to the browser bundle), rate-limited sensitive endpoints (signup 5/hr, MFA 8/5min, payment 20/10min, election OTP 3/5min), automatic dependency alerts via GitHub Dependabot, and a responsible-disclosure address at security@komuniti.cloud.
Responsible disclosure
We take security vulnerabilities seriously. If you discover a potential security issue, please report it to our security team at security@komuniti.cloud. We commit to acknowledging reports within 24 hours and providing regular updates on our investigation.
Questions about security?
Our team is happy to discuss our security practices, compliance certifications, and data protection measures.