top of page

Security and Privacy and CommBox


CommBox is committed to Security

Secure operations based on best practice

At CommBox, we take security very seriously and our team implements industry best practices. Our team adopts a holistic approach to security and adheres to a common controls framework. We work to prevent security threats through our detections program, secure software development practices, and industry-accepted operational practices.

Platform and Network Security

To ensure the security of our products, we conduct thorough security testing, including threat modeling, automated scanning, and third-party audits. In the event of a security incident, we have established security incident response practices to address the issue promptly, and we provide updates on the status of the system to keep you informed. The purpose of this document is to quickly assist IT managers to understand the network requirements for CommBox hardware and software. This document also provides the latest information about CommBox’s commitment to privacy, security, reliability of our products.

Availability and continuity

We ensure high availability of our services by maintaining multiple geographically dispersed data centers and implementing comprehensive disaster recovery and business continuity programs. Our data centers are hosted by trusted partners who strictly control physical access and implement robust security measures.

Security in our products

CommBox prioritizes security as the foundation of our cloud applications and services. We are dedicated to protecting the confidentiality, integrity, and availability of your company's data. Our products are designed to help teams collaborate effectively while ensuring that your data is kept secure with industry-standard best practices.

Vulnerability Disclosure Program

Report a system security vulnerability

About our security vulnerability disclosure program

The security of our online systems and the information they hold are our highest priority. We take every care to ensure that they are secure and up to date. However, we recognise that despite these efforts there may still be vulnerabilities. 


We welcome engagement from the security community and we are grateful for anyone sharing their findings with us to make our system, security even stronger. Our security vulnerability program provides an avenue for you to responsibly report any potential issues or vulnerabilities with us. 

If you think you have identified an issue or vulnerability in one of our systems, services, or products, please report it to us as quickly as possible. 

Our program does not authorise you to conduct security testing. If you think a vulnerability exists, please report it to us. We can test and verify it and, where necessary, take action to address the vulnerability. 

Where we need to procure expert services to assist with addressing the vulnerability, we will do so. 


What the program covers

Our security vulnerability disclosure program covers: 

  • any product or service wholly owned by us to which you have lawful access 

  • any product, service, and infrastructure we provide to shared service partners to which you have lawful access 

  • any services that are owned by third parties but utilised as a part of our services that you have lawful access to. 


Under this program, you must not: 

  • disclose vulnerability information publicly 

  • engage in physical testing

  • leverage deceptive techniques, such as social engineering, against CommBox employees, contractors, or any other party 

  • execute resource exhaustion attacks, such as DOS (denial of service) or DDOS (distributed denial of service) 

  • leverage automated vulnerability assessment tools 

  • introduce malicious software or similar harmful software that could impact our services, products or customers, or any other party 

  • engage in unlawful or unethical behaviour

  • reverse engineer CommBox products or systems

  • modify, destroy, exfiltrate, or retain data stored by CommBox

  • submit false, misleading, or dangerous information to CommBox systems 

  • access or attempt to access accounts or data that does not belong to you. 


Do not report security vulnerabilities relating to missing security controls or protections that are not directly exploitable. Examples include: 

  • weak, insecure, or misconfigured SSL (secure sockets layer) or TLS (transport layer security) certificates 

  • misconfigured DNS (domain name system) records including, but not limited to SPF (sender policy framework) and DMARC (domain-based message authentication reporting and conformance) 

  • missing security HTTP (hypertext transfer protocol) headers (for example, permissions policy) 

  • theoretical cross-site request forgery and cross-site framing attacks. 


How to report a vulnerability

To report a potential security vulnerability, send details to 

Provide as much information as possible, including: 

  • an explanation of the potential security vulnerability 

  • listing the products and services that may be affected (where possible) 

  • steps to reproduce the vulnerability 

  • proof-of-concept code (where applicable) 

  • names of any test accounts you have created (where applicable) 

  • your contact details. 

We may need to contact you for more information to resolve the concern. We will handle your report confidentially in line with our privacy policy

We ask that you also maintain confidentiality. Please do not publicly disclose details of any potential security vulnerabilities without our written consent. 

What happens next

When you report a vulnerability, we will acknowledge your report within 2 business days. Unfortunately, we may be unable to share the outcomes or updates regarding any actions we have taken in relation to the vulnerability. 

We will not: 

  • financially compensate you for reporting 

  • share your details with any other organisation, without your permission 

  • Guarantee any future security or systems work. All recruitment at CommBox follows the CommBox recruitment process.

If you have any questions, contact us at


CommBox is committed to protecting your privacy

Privacy Principles

Privacy First

  • Ensuring that individuals trust a tool is crucial in encouraging its use. Our commitment to fostering open collaboration and teamwork is reflected in our development of impactful data controls, choices, and notices. Our approach to privacy by design is integrated into every aspect of our work. Our goal is to construct privacy-aware products with ease of use.

Open and Transparent

  • Proactive transparency is essential for building trust. We pledge to provide simple and consistent information on who can access your data and for what purposes.

  • We provide this information through several channels, including our Privacy Policy, User Agreement Notice, Trust Center online. We may also provide additional details within our products to assist you in comprehending the impacts of specific product configurations.

  • In addition, we inform you of any data incidents as they occur.

Control is in your hands

  • Our goal is to ensure that you feel secure sharing your data with us, based on the options we offer for providing, limiting, altering, accessing, or withdrawing personal information. Although we prioritize compliance with legal obligations, we strive to go beyond legal requirements by enhancing your choices and providing optimal solutions.

We want to hear from you

  • We value your privacy needs and strive to align our roadmap with your privacy requirements. Please share your feedback by submitting feature suggestions to

Manage your personal data privacy

CommBox respects your privacy and is dedicated to upholding our Privacy Principles. We believe in transparency and will provide you with information on your privacy options and our business practices. Below, we have outlined details related to both topics.

Control over Your Data

You have the power to manage your profile information as you see fit, including deciding what personal information is visible. Additionally, we offer options for controlling how your profile appears to those with whom you collaborate. While collaborative experiences allow open identification, it is not mandatory.

Please keep in mind that your access to CommBox Account settings will vary depending on how you interact with us. If you use our products as part of an organization, your administrator may have default access to some of your profile information.

Privacy Changes

At CommBox, we offer various tools to help you make privacy requests, whether it's accessing or deleting your data. The tool you use will depend on whether you are part of an organization and if you have a CommBox account.

If you have a CommBox account, you can make a request to access or delete your data by reaching out to

Data sharing, marketing and consent

We understand the importance of your privacy and being transparent about how we collect, use, and share your information. Our Privacy Policy outlines the information we collect, how we use and store your data, and the ways you can access and control your information, including managing your consents.

CommBox will not share your information with government agencies without proper process.

Manage your business’s data privacy

Where is your data located

We prioritize reducing latency and ensuring optimal performance for you and your users when determining the location of data hosting. Our decision on where to host data is based on how it is accessed around the world, rather than upon request. Default settings for data hosting location is Australia and the US.

How we store your data

All data is stored securely in Microsoft Azure or AWS databases and servers.

Removing your data

We give you the option to completely remove your data from our services. To request this please email

Privacy Policies

Read our privacy policy for website and business interactions here.

Read our privacy policy for CommBox OS Experience here.

Online Safety Act 2021 Compliance

Online Safety Act 2021 Compliance and Reporting

CommBox takes online safety very seriously. CommBox has read and understand the Online Safety Act 2021. 

The Online Safety Act 2021 is new legislation that makes Australia’s existing laws for online safety more expansive and much stronger.

  • creates a world-first Adult Cyber Abuse Scheme for Australians 18 years and older

  • broadens the Cyberbullying Scheme for children to capture harms that occur on services other than social media

  • updates the Image-Based Abuse Scheme that allows eSafety to seek the removal of intimate images or videos shared online without the consent of the person shown

  • gives eSafety new powers to require internet service providers to block access to material showing abhorrent violent conduct such as terrorist acts

  • gives the existing Online Content Scheme new powers to regulate illegal and restricted content no matter where it’s hosted

  • brings app distribution services and search engines into the remit of the new Online Content Scheme

  • introduces Basic Online Safety Expectations for online service providers

  • halves the time that online service providers have to respond to an eSafety removal notice, though eSafety can extend the new 24-hour period.

CommBox has an obligation to report any breaches to Online Safety Act that occur with our applications. If you encounter any content or behaviour that is in breach with the Online Safety Act 2021 please report it immediately to CommBox at Alternatively you can report it to the Esafety Commissioner using the following link:

Data Deletion Request

CommBox is committed to protecting your privacy and your data.

If you would like to request to have your data deleted please review the steps here.

bottom of page