Skip to main content
Commenda uses industry-standard security practices including:
  • Encryption in transit (TLS) and at rest
  • Role-based access control
  • Secure credential storage for sensitive information like tax portal passwords
  • Regular security audits
Only people you’ve explicitly granted access to can see your data:
  • Team members with the roles you’ve assigned
  • Advisor firms linked to your company (only for assigned entities)
  • Agent firms working on your service requests (only for assigned work)
  • Commenda admins for platform support purposes
Sensitive credentials (like tax portal usernames and passwords, bank account numbers, and government IDs) are encrypted using strong encryption before storage. They are only decrypted when needed by authorized users.
Bank connections are handled through Plaid, a trusted financial data platform used by thousands of financial institutions. Commenda never stores your banking login credentials. The connection uses bank-level encryption.
Yes. Commenda provides role-based access control with multiple roles (Admin, User, Accountant, Controller, Employee, Custom). You can restrict team members to specific entities and control what data they can view and edit. See User roles.
Documents can be set as private (specific team members), shared (your team and your advisor), or restricted based on the entity they belong to. File-level access control lists give you fine-grained control over who can view each document.
Commenda staff who access the internal admin console must complete authenticator-app two-factor authentication (TOTP) on every sign-in:
  • Codes follow the RFC 6238 standard and are generated locally on the staff member’s device using apps such as Google Authenticator, 1Password, or Authy. Codes are never delivered over SMS or email.
  • Each one-time code is valid for a single use within a short time window. Replays are rejected.
  • The shared secret is encrypted at rest, and only the staff member’s authenticator app can produce a valid code.
  • A senior Commenda administrator can revoke a staff member’s enrollment at any time. Revocation invalidates the staff member’s active session immediately and forces them to re-enroll on their next sign-in.