Security & Privacy
Your data stays yours. We use industry-leading security practices to protect every interaction, every connection, and every piece of data your PA touches.
Authentication & Access Control
All service connections use industry-standard OAuth 2.0 with encrypted token storage and automatic refresh. Your credentials are never stored directly.
π OAuth 2.0 Authentication
PA connects to Google and Microsoft services using OAuth 2.0 authorization. You grant access through the official provider login β we never see your password.
π Encrypted Token Storage
Access tokens and refresh tokens are encrypted at rest using AES-256. Tokens are stored in isolated, per-user encrypted stores.
π Automatic Token Refresh
Tokens are refreshed automatically before expiry. If a refresh fails, PA asks you to re-authorize β never silently failing.
βοΈ Granular Permissions
We request only the minimum scopes needed. You control which services are connected and can revoke access anytime from your Google/Microsoft account.
Confirmation Controls
Configurable approval gates before the PA takes sensitive actions. Preview-before-execute for operations that modify your data.
π§ Email Confirmation
When enabled, PA shows you the full email draft β recipients, subject, body β and waits for your "yes" before sending.
π Event Confirmation
Before creating, modifying, or deleting calendar events, PA presents the details and waits for approval.
π§ Per-User Configuration
Confirmation settings are per-user and per-action. Power users can disable confirmations for trusted operations while keeping them for others.
Content Security
Multi-layered protection against prompt injection, malicious content, and unauthorized actions.
π« Prompt Injection Protection
All external content (emails, documents, web results) is sanitized before being processed. Hidden instructions embedded in content are flagged and neutralized.
π¦ Sandboxed Execution
Custom tools run in isolated sandbox environments. No access to the host system, network, or other users' data. Resource limits enforced.
π Input Sanitization
All user inputs and external data are sanitized. Suspicious patterns are logged and flagged for review.
π Audit Logging
All PA actions β emails sent, events created, tools executed β are logged for accountability and audit trail purposes.
Data Privacy & Compliance
GDPR-compliant by design. Your data is processed only for the actions you request.
πͺπΊ GDPR Compliance
Comturk processes data in accordance with GDPR. Users can request data export and deletion at any time.
π Data Minimization
PA only accesses data you explicitly request. No background scanning, no data mining, no selling to third parties.
ποΈ Memory Controls
You can view, edit, and delete any memory your PA has stored. Full control over what your PA remembers.
π’ On-Premise Option
For maximum data sovereignty, deploy Comturk on your own infrastructure. Data never leaves your servers. Learn more β
Frequently Asked Security Questions
Does Comturk store my email passwords?
Can the PA send emails without my approval?
Is my conversation data used to train AI models?
What happens if I disconnect a service?
Are custom tools secure?
Can I get Comturk on my own servers?
Your Privacy Is Our Priority
Start using your AI Personal Assistant with confidence.