# Open-Source Compliance Archiving | Comma Compliance Comma's WhatsApp and Signal capture code is on GitHub under Apache 2.0. No modified apps, no broken encryption — inspect every line. Source: https://commacompliance.com/resources/open-source-capture Last updated: 2026-05-27 --- _Every compliance archiving vendor claims their capture method is secure. After the TeleMessage breach, those claims aren't enough. Comma publishes its WhatsApp and Signal capture code openly — so your team can verify exactly what happens to a message from the moment it's sent until it reaches the archive._ Regulators require firms to capture and retain business communications, including messages sent over encrypted apps like [WhatsApp](/whatsapp-compliance-archiving) and [Signal](/signal-compliance-solution). The challenge is that these apps were designed specifically to prevent third parties from accessing message content. Until recently, the compliance industry has solved this in one of three ways: - **Modified apps.** The vendor builds a clone of the messaging app that looks and feels like the original but routes a copy of every message to an archive server. The user installs the modified version instead of the real app. This is the approach TeleMessage used: modified versions of Signal and WhatsApp by decrypting messages on the end user's device, and then transmitting an unencrypted copy of that message to a storage archive. - **Device-level agents.** The vendor installs software on the employee's phone that monitors and captures messages locally. This typically requires Mobile Device Management (MDM), introduces battery drain, and creates privacy concerns, especially on personal devices under BYOD policies. - **API-based capture from the platform.** Where available, some vendors use official APIs to pull message data. This works for platforms like Slack, Teams, and email, but Personal WhatsApp, Signal, and [iMessage](/imessage-compliance) don't offer public archiving APIs which is why the first two approaches exist. Each of these has trade-offs. Modified apps introduce security vulnerabilities **and** require users to change their behavior. Device agents create IT burden and employee friction. API-based capture can work well where it's available, but doesn't cover the channels regulators are most focused on right now. ## How Comma Compliance does it differently Comma operates as an authorized endpoint — a device the user explicitly links to their account. Because the user grants access directly, Comma receives messages the same way any linked device would, without modifying apps, intercepting network traffic, or installing software on employee phones. We don't modify apps. We don't install software on devices. We don't decrypt messages on an intermediate server and re-encrypt them for storage. What that means in practice: - **No modified apps.** Your team uses the real WhatsApp, the real Signal, the real iMessage. Nothing changes about their experience. There is no Comma-branded clone to install. - **No device footprint.** Comma doesn't run on the employee's phone. No battery drain, no MDM requirement, no local data storage. This matters especially for firms with BYOD policies where employees use personal devices for business communication. - **No intermediate plaintext exposure.** Comma does not decrypt message content on intermediary servers during capture. The capture happens without exposing plaintext content. And, unlike every other vendor making these claims, we've [published the code](https://github.com/comma-compliance) so you can verify it yourself. ## What happened with TeleMessage? Does it really matter? First, yes, it matters. In May 2025, TeleMessage -an Israeli software company acquired by Smarsh in 2024- was breached. It was breached after a hacker accessed a publicly exposed debug endpoint on one of its archive servers. The endpoint returned a memory dump containing plaintext chat logs, user credentials, and encryption keys. The entire breach took roughly 15 to 20 minutes. The root cause was architectural. TeleMessage's approach to compliance archiving involved capturing messages after decryption on an intermediate server. While this met the technical requirement of creating an archivable copy, it broke the end-to-end encryption that apps like Signal were built to guarantee. When that intermediate server was compromised, plaintext messages were exposed. [See how Comma compares to Smarsh's TeleMessage architecture →](/compare/telemessage-alternative) This incident raised a question that every regulated firm should be asking their archiving vendor: **does your capture method introduce new attack surfaces that wouldn't exist if the messages were never archived?** With a modified-app approach, the answer is almost always **yes.** A copy of every message passes through infrastructure the vendor controls, in a format the vendor designed, using an app the vendor modified. Each of those layers is a potential point of failure. Comma's architecture avoids this by not modifying apps, but we also recognized that saying "trust us, our architecture is different" isn't enough — especially after an incident like TeleMessage proved that vendor claims about encryption can be false. ## Why we open-sourced our capture code In August 2025, we published the source [code for our WhatsApp](https://github.com/comma-compliance/whatsapp-capture) and [Signal capture connectors](https://github.com/comma-compliance/signal-capture) on GitHub — WhatsApp under Apache 2.0 and Signal under GPL v3. Anyone can inspect, fork, or self-host them. We did this because transparency is more convincing than marketing. When a compliance officer or CISO asks "how do you capture messages and how do I know it's secure," the strongest possible answer is: here's the code, run your own analysis. Comma Compliance's WhatsApp and Signal capture connectors are open-source. Neither connector is affiliated with or endorsed by Meta Platforms, Inc. or Signal Messenger, LLC.