# Security

Last updated April 30, 2026

**Short version:** your document is isolated from every other document on the platform, encrypted while it travels over the network, encrypted at rest by Cloudflare, and protected by unguessable share tokens plus authenticated owner checks. We don't sell document data, run ads, or train Comment.io models on it. Security reports go to [max@comment.io](mailto:max@comment.io) and are reviewed promptly.

Your documents are private by default, encrypted on the way to us and while we hold them, and isolated from every other document on the platform. This page explains what that means, what we do with the data you give us, and what we don't. If you're trying to decide whether to put a draft, a memo, or your team's notes here — this is for you.

**Isolated by document**
Each document gets its own private container with storage no other document can reach.

**Encrypted in transit**
Browser, live-collaboration, and API traffic uses HTTPS/TLS.

**Encrypted at rest**
Cloudflare-managed storage encrypts persisted values and uploaded images.

**Token-gated access**
Reading or writing a private document requires a valid token or signed-in owner.

## Core commitments

- **Your documents are yours.** We use document content only to provide the editor, collaboration, comments, suggestions, authorship history, storage, and API features you ask us to provide.

- **No ads, no data brokers.** We don't sell, rent, or share document content with advertisers or data brokers — there's no one to sell it to.

- **No model training by Comment.io.** We don't train AI models on your documents. If you choose to give a third-party agent or AI tool a document token, that tool's own terms apply to whatever it receives.

- **Hashed secrets at rest.** If our database leaked tomorrow, the secrets in it would be useless. Agent API keys are stored as one-way hashes — even we can't read the original — and sessions are signed so a copy of a database row can't be used to log in as you.

- **Clear security contact.** If you find a security bug, email [max@comment.io](mailto:max@comment.io). Good-faith reports are triaged promptly, and reproduction happens on test documents rather than user data.

## What we don't do, and what we can see

**Can Comment.io operators read your documents?** Operational access to production storage exists for incident response and bug investigation — that's a fact of running any hosted service. We don't browse user documents for product, marketing, or curiosity reasons, and we don't train models on them. If we ever need to access a specific document to debug a reported issue, we'll tell you.

**What we log.** We log request paths, status codes, request timings, and errors. We don't log the contents of your documents, the keystrokes you type, or the text of your comments. Logs are retained for up to 30 days in Axiom.

**Deletion.** When you delete a document, its private container, uploaded images, and access tokens are removed. Edge caches and operational logs may retain references for a short period before they roll over. We don't keep "soft-deleted" copies for analytics.

**Inactivity expiry.** Document access tokens auto-expire after 30 days of inactivity. A forgotten share link stops working on its own.

**Data export.** You can export any document as Markdown at any time. Leaving Comment.io is straightforward by design.

**If Comment.io shuts down.** If we ever wind the service down, we'll give at least 30 days' notice and provide a way to export your documents as Markdown before data is removed.

**OAuth provider compromise.** If your Google, Microsoft, or Apple account is taken over, anyone who can sign in as you can access your documents — Comment.io trusts the provider's answer. Use a strong password and two-factor authentication on the provider, and contact us if you suspect a takeover so we can revoke active sessions.

_Document requests are routed into a per-document execution and storage boundary._

```mermaid
flowchart LR
  B[Browser editor: REST + live sync]
  A[Agent or API client: REST API]
  W[Comment.io Worker]
  ACL[Token/session + role check]
  B --> W
  A --> W
  W --> ACL
  ACL --> D1[Document A container]
  ACL --> D2[Document B container]
  D1 --> S1[(Private storage for Document A)]
  D2 --> S2[(Private storage for Document B)]
  D1 -.-> B2[No access to Document B storage]
  D2 -.-> B1[No access to Document A storage]
  classDef blocked fill:#fff7ed,stroke:#ea580c,color:#7c2d12
  class B1,B2 blocked
```

## How document access works

Every document has a URL identifier and access tokens. A person or agent needs a valid token, or a signed-in owner session, to read or modify private document content through the app, the live-collaboration connection, or the REST API. There is no listing or directory that exposes documents publicly — a document's existence does not make it discoverable.

Treat share links and API credentials like passwords. Anyone who receives a valid token can use the access that token grants until you rotate or revoke it from the document's Share menu. Public previews show only the title and timestamps — the actual text never appears in a preview.

Each private document has a permissions list mapping people, browser visitors, and registered agents to one of four roles. Permissions are checked on our servers, not just in the browser — the UI can't be "inspected" to grant yourself extra access.

- **Owner.** Manage the document and its sharing settings, invite collaborators, change roles, use owner-only controls.

- **Editor.** Change document content and participate in collaboration.

- **Commenter.** Add comments and suggestions without broad document-management powers.

- **Viewer.** Read the document without changing it.

- **Agent access.** Registered agents are added to the permissions list by handle and receive only the role they were granted for that document.

Comments and suggestions carry author metadata. The server rejects unauthorized edits to a comment owned by someone else — your comments can't be silently rewritten by another person or agent.

## Encryption

### In transit

- Browser, live-collaboration, and REST API traffic is served over HTTPS. This encrypts data while it travels between your browser or API client and Comment.io's servers.

- Production session cookies are marked `Secure` and `HttpOnly`.

- State-changing browser requests carry a second hidden token to make sure they come from the real Comment.io app, not a hostile site.

### At rest

- All stored data — document text, comments, uploaded images, and operational records — is encrypted at rest by Cloudflare. See [Cloudflare's encryption documentation](https://developers.cloudflare.com/r2/reference/data-security/) for the technical specifics.

- Registered agent secrets are stored as one-way hashes. We can't recover the original secret for you; if it is lost or exposed, generate a new one and the old one stops working.

_Encryption covers both the network path and the storage layer for document operations._

```mermaid
flowchart TD
  C[Client] -->|HTTPS/TLS| W[Comment.io Worker]
  W -->|authorized operation| D[Document container]
  D -->|persistent state| DS[(Encrypted storage)]
  W -->|uploaded images| R2[(Cloudflare R2, encrypted)]
  D -->|comments, history, sync| C
```

## AI agents and third-party access

Comment.io is designed so humans can invite agents into documents. That doesn't mean every document is automatically sent to an AI provider.

- Comment.io doesn't send your document to an AI model by default.

- An agent can only read or write a document after it receives a valid document token or registered-agent authorization.

- If you paste a Comment.io token into another tool, install an agent, or configure a webhook, you're granting that external system the access represented by the token or integration.

- Webhook URLs are checked so they can't be pointed at internal addresses or loopback. Notification payloads are scoped to the event being delivered.

## Authentication and sessions

- **OAuth login.** Human accounts sign in through Google, Microsoft, or Apple OAuth. Comment.io receives only the identity information needed for login and display.

- **Short browser sessions.** The session cookie is HttpOnly, secure in production, and expires after 24 hours.

- **Cross-site request protection.** State-changing browser requests require a second token derived from your session, checked on the server before the request is accepted.

- **Agent credentials.** Registered agents use permanent `as_` secrets. We store hashes of these secrets and show the original value only when it's created.

- **Rate limits.** OAuth, handle registration, handle lookups, and other sensitive endpoints are rate-limited per IP.

## How we run the service

We keep the moving parts small on purpose.

- **Vendors.** Cloudflare (Workers, private containers, R2, KV, CDN, DDoS protection, TLS); Axiom (operational logs, retained up to 30 days); Sentry (frontend and backend error reporting and source map processing); Google, Microsoft, and Apple for OAuth login when you choose that provider. That's the entire list.

- **Logs.** Structured logs for status codes, request timings, and errors. Tokens, passwords, and OAuth refresh tokens are not written to logs.

- **Input validation.** REST endpoints validate expected input shapes and reject unexpected fields that could confuse identity handling.

- **Code review.** Security-sensitive code paths — auth, token handling, document access, storage migrations, and comment authorship — are reviewed before deployment.

- **Environment separation.** Staging and production deployments are separate. Production deploys require explicit human approval through GitHub Actions.

- **No investors, no acquisition pipeline.** Comment.io is bootstrapped. We have no plans to sell user data to fund a pivot.

See the [Privacy Policy](/privacy) for the current data collection, retention, and vendor disclosure. If we add a new vendor that handles document data, we'll update this page and the privacy policy and date the change.

## Incident response

If we confirm a security incident that affects user documents or account data, we'll prioritize containment, revoke or rotate affected credentials where possible, preserve evidence, and notify affected users with what happened, what data was involved, and what action they should take.

## Responsible disclosure

Found a security bug? Email [max@comment.io](mailto:max@comment.io). We triage good-faith reports promptly. Please don't access, modify, or exfiltrate data that isn't yours — describe the issue and we'll reproduce it on a test document.

No service can promise that a breach is impossible. We've tried to describe honestly what we do to make one unlikely, and what we'd do if one happened. If you're storing regulated, legally privileged, or extremely sensitive material, evaluate whether these controls match your requirements. This page is a companion to the [Terms of Service](/terms), not a substitute for them.