The short answer: Yes. Communications archived in Comma Compliance's storage are retained using Write-Once-Read-Many (WORM) policies. Records cannot be altered, overwritten, or deleted during the capture and retention period. This meets the immutability requirements of SEC Rule 17a-4(f) and supports FINRA Rule 4511 recordkeeping obligations.
When Comma captures a communication, whether it's a WhatsApp message, an iMessage thread, a Signal conversation, or an email, the content is encrypted in transit and written to immutable storage. Once written, the record is locked. No one at your firm or at Comma can modify or delete it until the retention period expires.
Every archived record includes the original message content, attachments, timestamps, and a full audit trail of access and administrative actions. This preserves the context regulators expect to see during an exam: not just the text of a message, but who sent it, when, to whom, and what was attached. Context matters, and examiners understand that.
All data is encrypted in transit using TLS 1.2+ and encrypted at rest using AES-256. Encryption keys are managed through AWS KMS and Azure Key Vault. Comma does not store raw keys alongside archived data.
The default retention period for data stored in Comma's archive is 7 years, consistent with SEC Rule 17a-4's requirements for broker-dealer communications. If your regulatory regime or internal policies require a longer retention window, we can accommodate that.
Retention is enforced automatically. Records are preserved for the full duration of the configured retention period with no manual intervention required.
All user activity and administrative actions — including searches, exports, access events, and configuration changes — are logged in immutable audit logs. These logs are available upon request for internal review and regulatory examination.
Comma supports multiple archive destinations. Some customers store exclusively with us. Others route captured data to Smarsh, Global Relay, Microsoft Purview, or their own infrastructure.
Here's the distinction that matters:
If you store with Comma, your data is held in WORM-compliant, immutable storage with a 7-year default retention period. We control the full chain: capture, encryption, storage, and retention enforcement.
If you route data to an external destination, Comma captures and delivers communications to that endpoint securely and completely. However, once the data is in your chosen provider's environment, retention policies, immutability guarantees, and access controls are governed by that provider, not by Comma.
This means if you're using Smarsh or Global Relay as your archive destination, your WORM compliance depends on how those systems are configured on your end. Comma ensures nothing is lost or altered upon capture. What happens after delivery is between you and your storage provider.
If you're evaluating storage options and want to understand the implications for your compliance posture, we're happy to walk through the tradeoffs.
Comma's archive infrastructure is hosted across Amazon Web Services (AWS) and Microsoft Azure. Both environments meet enterprise-grade security and availability standards.
Client data is stored in the United States by default. Data residency in the EU or Asia-Pacific is available for customers with specific regulatory or jurisdictional requirements.
Archived data benefits from storage architecture designed for 99.999999999% durability and 99.99% availability, aligned with AWS's highest tier of data protection.
Archive access is protected by single sign-on (SSO) integration, multi-factor authentication (MFA), and role-based access controls (RBAC). Only authorized users see the data they are permitted to access.
SEC Rule 17a-4 requires broker-dealers to preserve certain records in a non-rewritable, non-erasable format for specified periods. FINRA Rule 4511 extends this to require firms to make and preserve books and records in a way that complies with SEC rules.
In practice, during an examination, regulators want to confirm three things:
Are all relevant comms being captured? Across all channels that employees actually use?
Can records be tampered with? Can anyone alter or delete an archived message?
Can the firm search, locate, and export specific records promptly when asked?
Comma is built to satisfy all three. Capture covers 30+ communication channels. Storage is WORM-compliant and immutable. Search and export are available from a centralized dashboard with no per-export fees.
One of the most common follow-up questions from compliance and security teams is: how do we know the capture is actually working the way you say it is?
Most vendors answer that with a marketing sheet. We answer it with source code.
Comma's WhatsApp and Signal capture connectors are open-source and available on GitHub.
Your security team can inspect every line of capture logic, run their own tests, and verify that messages are captured completely and without modification before they reach the archive.
This is relevant to WORM because immutability only matters if what you're storing is accurate and complete in the first place. If the capture layer is a black box, you're trusting a vendor's word that the data entering your archive is the same data that was sent on the wire. With Comma, you don't have to trust. You can verify.
Is Comma's storage SEC 17a-4(f) compliant? Yes. Data stored in Comma's archive uses WORM retention policies that prevent alteration or deletion during the retention period.
Can we extend retention beyond 7 years? Yes. The 7-year default is configurable. If your policies or regulatory requirements call for longer retention, we can work to accomodate that.
What formats can we export in? Comma supports export in standard formats for regulatory examination and e-discovery. Exports are unlimited and included at no additional cost.
What if we use Smarsh, Global Relay, or another provider for storage? Comma captures your data and delivers it to your chosen destination. However, Comma does not own or operate that destination. If your provider's environment experiences downtime, ingestion issues, or configuration problems on their end, delivery may be affected by factors outside our control. WORM compliance, retention enforcement, and availability in that scenario are governed entirely by your storage provider. If uninterrupted, end-to-end control over your archive matters to you, storing directly with Comma removes that dependency.
How do we know captured messages haven't been modified before storage? Our WhatsApp and Signal capture code is open-source. Your team can audit the capture chain directly. For other channels, Comma provides capture receipts and a full chain-of-custody trail from point of capture to archive.