CommissionOps

Security

Your commission data is handled with care

CommissionOps processes payroll-adjacent financial data. We take that seriously. This page explains how we protect your data, where it lives, and what controls are in place.

Hosted on Microsoft Azure

CommissionOps runs entirely on Microsoft Azure, one of the world's leading enterprise cloud platforms, trusted by banks, healthcare systems, and governments worldwide. Azure provides:

  • 99.9%+ uptime SLAs backed by Microsoft's global infrastructure
  • Built-in DDoS protection and network-level threat detection
  • ISO 27001, SOC 1/2/3, and GDPR-compliant data centres
  • Data residency in the EU (North Europe — Ireland) — your commission data does not leave Europe

Strict multi-tenant isolation

Every workspace is fully isolated at the data layer. Your deals, reps, plans, and commission runs are never visible to — or queryable by — any other organisation. Isolation is enforced by the database engine on every query, not just in application logic.

Even in the event of a misconfigured API call or application bug, cross-tenant data leakage is structurally prevented at the persistence layer.

Encryption in transit and at rest

  • All traffic between your browser and CommissionOps is encrypted via TLS 1.2+
  • All data at rest is encrypted using AES-256 at the storage layer
  • Sensitive integration credentials (HubSpot OAuth tokens) are encrypted using ASP.NET Core Data Protection before being stored

Immutable commission history

Once a commission run is locked, it becomes permanent and tamper-proof. No admin, no support staff, and no automated process can edit or delete a locked run.

This means approved payouts stay exactly as approved — creating an auditable record that Finance, HR, and reps can all rely on. It also protects against accidental changes after payroll has been processed.

Passwordless authentication

CommissionOps uses magic-link authentication — no passwords to steal, reuse, or leak. Each sign-in link is single-use and expires in 15 minutes. Sessions are managed via short-lived signed tokens stored in secure, HTTP-only cookies.

GDPR compliance

  • CommissionOps is operated by QWERTY ApS, a Danish company subject to EU GDPR
  • Data stored exclusively in EU data centres (Azure North Europe — Ireland)
  • Cookie consent is collected before any tracking is activated
  • You can request data deletion at any time by contacting us

For full details, see our Privacy Policy.

Security questions?

If you have specific security requirements, are conducting a vendor assessment, or need to report a vulnerability, reach out directly.

hello@commissionops.io →