Security at Commera

Last Updated: May 8, 2026

This page summarizes how Commera LLC protects applicant data, the third-party services we rely on, and how to reach us if you discover a security vulnerability. It supplements our Privacy Policy and Terms of Service.

1. Encryption

In transit: all traffic between your browser and our site, and between our application and our service providers, is encrypted using TLS 1.2 or higher with modern cipher suites. HTTP requests are redirected to HTTPS at the platform edge (Vercel) and we set the Strict-Transport-Security header to instruct browsers to refuse plaintext connections.

At rest: applicant data is stored only inside our managed third-party services (Zoho CRM, Upstash Redis, Vercel logs). All three providers encrypt data at rest using AES-256 or equivalent, with provider-managed keys. Commera does not maintain a self-hosted database; we do not write applicant data to local disk.

2. Hosting & Subprocessors

Commera runs on a small set of third-party services. The following list names every provider that may process applicant personal information on our behalf:

• Vercel (hosting, edge network, function execution, log retention) — SOC 2 Type 2.
• Upstash (Redis-compatible rate-limit counters; no personally identifying applicant data is stored, only IP-derived rate-limit keys hashed for short retention) — SOC 2 Type 2.
• Zoho CRM (lead/applicant record system; full applicant PII stored here) — SOC 2 Type 2, ISO/IEC 27001.
• Resend (transactional email delivery; applicant email + name + summary in outgoing notifications) — SOC 2 Type 2.
• Termly (cookie consent UI; loads on every page) — does not receive applicant form data.

We do not currently use any third-party analytics, advertising, or tracking services. If we add any, we will update this page and our Privacy Policy.

3. Access Controls

Access to systems that process applicant data is limited to personnel with a documented business need. Production access requires multi-factor authentication. Credentials are never committed to source control and are rotated when personnel leave.

4. Application Security

• Form submissions are rate-limited per IP address (5 applications per hour per IP for the main form, 3 per hour per IP for opt-out and contact forms).
• The application enforces input validation and length limits on every field, server-side.
• TCPA consent is captured with a server-validated timestamp to defend against replay/automation.
• For Vermont applicants, an additional state-required opt-in (8 V.S.A. § 10204) is captured before any data is shared with Funding Partners.
• The site does not load any third-party advertising, analytics, or tracking scripts.

5. Data Retention

Applicant records are retained as described in Privacy Policy § 10 — generally seven years from the most recent application or transaction, consistent with financial-services recordkeeping requirements. Rate-limit counters auto-expire one hour after they are written.

6. Breach Notification

If we confirm an unauthorized access event affecting applicant personal information, we will notify affected applicants and the applicable state regulators within the timeframe required by law — and in any event no later than 72 hours after confirmation, where practicable. We will provide the categories of information affected, what we have done to contain the incident, and steps applicants can take to protect themselves.

7. Compliance Posture

• GLBA — Privacy Policy § 4.6 implements the federal Gramm-Leach-Bliley privacy notice and opt-out for nonaffiliate marketing sharing.
• FCRA — Terms of Service § 4.2 implements the soft-pull permissible-purpose disclosure under 15 U.S.C. § 1681b.
• State commercial financing disclosure laws — see State Availability page.
• State privacy laws — Privacy Policy § 7 enumerates rights under CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, TDPSA, and Vermont 8 V.S.A. § 10204.
• SOC 2 Type 2 — Commera does not currently hold a SOC 2 attestation. We are evaluating the scope and timeline for a Type 2 examination.

8. Vulnerability Disclosure

If you have discovered a security vulnerability affecting Commera, please email contact@commerafunding.com with "Security Disclosure" in the subject line. We aim to acknowledge reports within two business days. We do not currently run a paid bug bounty program.

In scope: commerafunding.com and any subdomain owned by Commera LLC.
Out of scope: vulnerabilities in third-party services listed in Section 2 (please report those directly to the vendor); social-engineering of Commera personnel; volumetric attacks against the platform.

Researchers who follow this process and act in good faith will not be subject to legal action by Commera. We will publicly credit responsible disclosure on this page with the reporter's consent.

9. Contact

Commera LLC
Attention: Security
5830 E 2nd St, Casper, WY 82609
Email: contact@commerafunding.com
Phone: +1 (888) 451-5255

This page describes Commera's security practices as of the Last Updated date above. It is informational and does not create any contractual obligation beyond what is stated in our Terms of Service.