Q: Security Concern: External JS Loading & GDPR Compliance
Hi, I’ve already grabbed the LTD, great tool so far! Quick question on security: since the JS is loaded from your servers, it can execute code on every page it’s embedded in. That means it could, in theory, be changed at any time and access user data, cookies, etc. I know this is common with SaaS tools, but for client-facing sites, it’s something I need to consider carefully. Do you have safeguards like versioning, integrity checks, or plans for a self-hosted/static JS option? And how are you handling compliance (e.g. GDPR) around this? Thanks!
Kaaberma
May 25, 2025A: I designed this tool mainly for use on preview URLs, not for live production sites, so I recommend removing the script before launching. That said, I know some users do keep it on live environments.
It’s true that any externally loaded script, including mine, could be changed at any time, so trust in the provider is important—recent incidents like the Honey extension show why this matters.
I’m based in the EU and fully accountable under EU law, including GDPR compliance. If you have specific security or compliance concerns, I’m happy to discuss them further.
Regarding GDPR - all our servers and databases are located in Stockholm, Sweden, ensuring that data is stored and processed within the EU. Secondly we only collect data critical for the app’s functionality, to adhere to GDPR’s data minimization rules.
Then we secure data with trusted data centers, HTTPS/TLS encryption for data in transit, encryption for data at rest, and strict access controls. We use referrer checks ensure the Simple Commenter script only works on your authorized website, preventing unauthorized use.
To further comply with GDPR, we’re transparent about data use and support user rights, like data access or deletion requests. Our analytics tool is GDPR-compliant, avoiding invasive tracking or retargeting to respect user privacy.