How Comma Compliance Captures Encrypted Messages - & How You Can Verify It

‍

An open look at how Comma Compliance archives WhatsApp, Signal, and other encrypted channels without modifying apps, touching devices, or breaking encryption, with open source code you can inspect yourself.

‍

**How encrypted message capture typically works**

‍

‍Regulators require firms to capture and retain business communications, including messages sent over encrypted apps like WhatsApp and Signal. The challenge is that these apps were designed specifically to prevent third parties from accessing message content.

Until recently, the compliance industry has solved this in one of three ways:

‍Modified apps. The vendor builds a clone of the messaging app that looks and feels like the original but routes a copy of every message to an archive server. The user installs the modified version instead of the real app. This is the approach TeleMessage used: modified versions of Signal and WhatsApp by decrypting messages on the end user's device, and then transmitting an unencrypted copy of that message to a storage archive.
‍Device-level agents. The vendor installs software on the employee's phone that monitors and captures messages locally. This typically requires Mobile Device Management (MDM), introduces battery drain, and creates privacy concerns, especially on personal devices under BYOD policies.‍
API-based capture from the platform. Where available, some vendors use official APIs to pull message data. This works for platforms like Slack, Teams, and email, but Personal WhatsApp, Signal, and iMessage don't offer public archiving APIs which is why the first two approaches exist.

Each of these has trade-offs. Modified apps introduce security vulnerabilities and require users to change their behavior. Device agents create IT burden and employee friction. API-based capture can work well where it's available, but doesn't cover the channels regulators are most focused on right now.

‍

How Comma Compliance does it differently

‍

Comma captures messages at the network layer during transmission rather than from the device, a back-up database, or modified application.
‍

We don't modify apps. We don't install software on devices. We don't decrypt messages on an intermediate server and re-encrypt them for storage.

What that means in practice:

‍No modified apps. Your team uses the real WhatsApp, the real Signal, the real iMessage. Nothing changes about their experience. There is no Comma-branded clone to install.
‍No device footprint. Comma doesn't run on the employee's phone. No battery drain, no MDM requirement, no local data storage. This matters especially for firms with BYOD policies where employees use personal devices for business communication.‍
No intermediate plaintext exposure. Comma does not decrypt message content on intermediary servers during capture. The capture happens without exposing plaintext content.

‍
And, unlike every other vendor making these claims, we've published the code so you can verify it yourself.

‍

What happened with TeleMessage? Does it really matter?

‍

First, yes, it matters. In May 2025, TeleMessage -an Israeli software company acquired by Smarsh in 2024- was breached. It was breached after a hacker accessed a publicly exposed debug endpoint on one of its archive servers. The endpoint returned a memory dump containing plaintext chat logs, user credentials, and encryption keys. The entire breach took roughly 15 to 20 minutes.
‍

The root cause was architectural. TeleMessage's approach to compliance archiving involved capturing messages after decryption on an intermediate server. While this met the technical requirement of creating an archivable copy, it broke the end-to-end encryption that apps like Signal were built to guarantee. When that intermediate server was compromised, plaintext messages were exposed.

‍

After the breach

CISA added the vulnerability to its Known Exploited Vulnerabilities catalog
Multiple federal agencies suspended use of the product
Signal stated it could not guarantee the security of unofficial versions of its app

This incident raised a question that every regulated firm should be asking their archiving vendor: does your capture method introduce new attack surfaces that wouldn't exist if the messages were never archived?
‍

With a modified-app approach, the answer is almost always yes. A copy of every message passes through infrastructure the vendor controls, in a format the vendor designed, using an app the vendor modified. Each of those layers is a potential point of failure.
‍

Comma's architecture avoids this by not modifying apps, but we also recognized that saying "trust us, our architecture is different" isn't enough — especially after an incident like TeleMessage proved that vendor claims about encryption can be false.

‍

Why we open-sourced our capture code

‍

In August 2025, we published the source code for our WhatsApp and Signal capture connectors on GitHub — WhatsApp under Apache 2.0 and Signal under GPL v3. Anyone can inspect, fork, or self-host them.
‍

We did this because transparency is more convincing than marketing. When a compliance officer or CISO asks "how do you capture messages and how do I know it's secure," the strongest possible answer is: here's the code, run your own analysis.

What your security team can do with it:

Clone the repo and inspect every line of capture logic
Run static analysis tools or threat-model the data flow
Verify that messages are captured completely and without modification

What your legal and compliance team gets:

A defensible answer when regulators ask "show me how this message was captured"
A commit hash instead of a marketing sheet
Evidence that the capture logic has been open to public scrutiny

‍

What to ask any archiving vendor

‍

Whether you're evaluating Comma or anyone else, these are the questions that matter after TeleMessage:

‍Does your capture method modify the original messaging app? If yes, you're trusting the vendor's modified code on every employee's device. Ask to inspect it.‍
Where is message content decrypted, and is it ever stored in plaintext on an intermediate server? If plaintext exists anywhere between the device and the final archive, that's an attack surface.‍
Can I inspect the capture logic myself? If the answer is "no, but here's a whitepaper," consider what that means for your security posture.‍
What data would be exposed if your infrastructure were compromised? Understand what data would be exposed and in what state: encrypted or plaintext.‍
Is the capture technology something you built, or something you acquired? Acquisitions can introduce legacy architecture that wasn't designed with the same security model.

‍

Where to go from here:

Inspect the code: Comma Compliance on GitHub‍
Read the backstory: Open-Sourcing WhatsApp & Signal Capture Code - the original blog post explaining our decision‍
Press release: Comma Compliance Debuts Open-Source WhatsApp & Signal Captures - distributed via BusinessWire and covered by Yahoo Finance, The AI Journal, and Business Fortune.‍
Understand what happened with TeleMessage: The Timeline - a factual record of the breach, the response, and the fallout.‍
Talk to us: If you're evaluating archiving vendors and want to walk through our architecture in detail, we're happy to do that. You can always book a demo here or email us at support@commacompliance.com.

_{Comma Compliance's WhatsApp and Signal capture connectors are open-source. Neither connector is affiliated with or endorsed by Meta Platforms, Inc. or Signal Messenger, LLC.}