COMAsystem is designed and operated at a level of security that matches organizations and industries with particularly high security requirements. The platform is developed on the premise that contract data is business-critical and requires responsible and controlled handling.
Privacy by Design is a fundamental principle of COMAsystem. This means that considerations relating to data security and data protection are embedded in the way the platform is developed, operated, and continuously improved. Decisions regarding architecture, functionality, operations, and vendor selection are made with a focus on protecting data in the best possible way and reducing risks before they arise. Data security is therefore not an add-on layer, but an integral part of how COMAsystem operates as a company.
A core principle of COMAsystem is clarity regarding jurisdiction and the supplier chain. Consequently, no U.S. companies are included on COMAsystem’s list of sub-processors. This is considered a key criterion for GDPR compliance. U.S. companies are subject to U.S. legislation and may, in certain cases, be required to disclose data to authorities without the possibility of subsequently informing the customer, even when data is stored exclusively on servers within the EU.
Access to the platform is based on a role- and permission-based model that reflects the organization’s responsibilities and division of work. The platform supports Single Sign-On as part of the customer’s identity and access management, allowing user access to be anchored in the organization’s existing permission structure. This ensures a coherent approach to user access and supports controlled onboarding and offboarding. Logging and traceability are integral components of the platform’s governance framework.
Operational stability is a fundamental prerequisite for trust in a contract management platform. COMAsystem is therefore operated with a focus on high availability and predictable performance, enabling the platform to be used as an integrated part of the organization’s daily work.
The platform is continuously monitored to enable early identification of operational deviations. Monitoring and operations management are organized with clear responsibilities and established procedures, ensuring that incidents are handled in a structured and consistent manner.
Planned maintenance is carried out in a controlled manner and, as a rule, outside normal working hours in order to minimize impact on users. Unplanned maintenance and system-critical incidents are handled with a focus on rapid recovery and clear communication, limiting potential business impact.
Operational status is publicly available, providing transparency regarding the platform’s availability and stability over time.
Long-term protection of data is a central element of COMAsystem’s approach to data security. Daily backups of the system and the data processed on the platform are performed to ensure that information can be restored when needed.
Backups are stored securely and separately from the production environment as part of a controlled operational structure. This reduces the risk of data loss and supports a robust platform, even in the event of technical incidents or operational disruptions.
Preparedness and recovery are integrated into the overall operating model. The platform is designed to restore both data and functionality without compromising data integrity or continuity in contract management.
At the same time, the platform supports the organization’s requirements for data deletion and retention as part of the overall data and compliance framework.
COMAsystem’s security work is structured and based on recognized international standards and frameworks for information security. Principles from ISO, NIST, and CIS are used as reference points for the establishment and assessment of the overall control environment.
The platform is subject to an annual independent audit in accordance with ISAE 3000 Type II, which documents that relevant technical and organizational security controls are implemented and operate effectively over time. The audit covers the control environment, processes, and the period during which the controls have been in operation.
In addition, regular independent penetration tests of the platform are conducted by an external third party, with a focus on identifying and addressing potential vulnerabilities. Monitoring, logging, audit trails, and systematic follow-up on incidents are integral components of the security program.
This approach ensures that security is not a static state, but an area that is continuously assessed and improved.
