Security Documentation for CISOs

Technical specifications for security review. Built on AWS infrastructure with privacy-first architecture and zero AI training usage.

Schedule Security Review

AI Trust & Transparency

How our AI works and how your data is protected

AI-powered testing introduces unique security considerations. Coco addresses these through architectural design—not just infrastructure—ensuring your code stays secure while benefiting from AI automation.

psychology

What LLM does Coco use?

LLM Provider

Coco uses enterprise-grade LLMs with secure API integration. All communications encrypted in transit using TLS 1.3. Data processing agreements prohibit use of your data for model training.

psychology
database

How is data handled?

Data Encryption

Your code and test data encrypted at rest (AES-256) and in transit (TLS 1.3). Customer data logically isolated—never mixed with other customers. Your data is never used for model training.

database
cognition_2

How does AI make decisions?

AI Workflow

Progressive 3-stage workflow minimizes AI hallucinations. Generate test cases, review. Generate test steps, review. Generate code from validated steps. You approve at each stage for complete control—ensuring accuracy and compliance. No black boxes.

cognition_2
lock

Is there privacy isolation?

Data Isolation

Yes. Customer data logically isolated at database and application layers. Encryption at rest and in transit. Your tests and code remain private to your organization.

lock

AWS Infrastructure Certifications & Compliance

Built on enterprise-certified AWS infrastructure with industry-leading security frameworks

Compliance Standards

workspace_premium

AWS Infrastructure Certifications

Built on AWS infrastructure that maintains SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018, and PCI DSS Level 1 certifications. These are AWS's certifications—Coco inherits the security benefits of AWS's certified infrastructure.

verified_user

Regulatory Compliance

Designed for GDPR compliance on HIPAA-eligible AWS infrastructure. Multi-region deployment possible via AWS (US, EU, Asia). Contact us to discuss Data Processing Agreements (DPA) and specific compliance requirements.

Security Testing & Frameworks

policy

Security Framework Alignment

Security architecture aligned with AWS Well-Architected Framework Security Pillar, OWASP Top 10 security best practices, NIST Cybersecurity Framework, and CSA STAR Level 1 requirements (self-assessment framework).

security

Security Practices

Automated dependency vulnerability scanning. Security-focused development practices. Built on AWS infrastructure with continuous security monitoring via CloudWatch.

Infrastructure Security & Enterprise Controls

Enterprise-grade encryption, access controls, and AWS-certified infrastructure

Data Protection

lock

End-to-End Encryption

AES-256-GCM encryption for data at rest using AWS Key Management Service (KMS) with automatic key rotation. TLS 1.3 for all data in transit with perfect forward secrecy. Secrets managed via AWS Secrets Manager (PCI DSS Level 1 compliant) with strict access policies and audit logging.

layers

Isolated Processing Environments

Every test generation runs in isolated Docker containers with no shared file systems or network access between customers. Your codebase is stored securely with read-only access for context-aware generation. Code deleted on request—contact support.

Access & Identity

admin_panel_settings

Role-Based Access Control (RBAC)

Granular permissions based on principle of least privilege. Team-based access controls to manage who can view and edit projects. Session management with secure timeouts.

security

Multi-Tenant Data Isolation

Complete customer data segregation at database (logical isolation with row-level security) and application layers (tenant context enforcement). Network segmentation via AWS VPC with private subnets. Zero cross-customer data access enforced through encryption, RBAC, and container isolation.

Monitoring & Compliance

assignment

Complete Audit Logs & Export

Track all user actions (authentication, data access, configuration changes) with audit logs. 90-day retention with customer export capability. Real-time monitoring via CloudWatch with configurable alerts.

cloud_done

AWS Infrastructure Security

Deployed on AWS infrastructure with DDoS protection via AWS Shield Standard and AWS physical security controls. Multi-region deployment possible via AWS for data residency requirements.

Questions About Our Security?

Schedule a technical security review with our team or request detailed documentation.

Request Security Review

check_circleBuilt on AWS-certified infrastructure (SOC 2, ISO 27001)
check_circleDetailed security architecture documentation available
check_circleDirect security contact: security@cocoframework.com

Data Protection Practices

How we handle your code and data

Your intellectual property is your most valuable asset. We have designed Coco with security and privacy as foundational principles, not afterthoughts.

What we collect:

check_circleUser stories from your browser (with your explicit action)
check_circleLinked codebase with read-only access for context
check_circleGenerated tests and content (stored automatically)

What we never do:

check_circleTrain AI models on your code or tests
check_circleShare your data with third parties
check_circleRequest write access to your repository
check_circleAllow cross-customer data access

Data retention:

check_circleCodebase stored for context-aware generation
check_circleTests and generated content stored automatically
check_circleCode deleted on request—contact support

Your controls:

check_circleRequest data export—contact support
check_circleRequest code and data deletion—contact support
check_circleRole-based access control for your team
check_circleSelf-service data controls coming soon

Security & Compliance FAQ

What certifications does Coco have?

Coco is built on AWS infrastructure that maintains SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018, and PCI DSS Level 1 certifications. These are AWS's certifications—Coco inherits the security benefits of running on AWS's certified infrastructure.

Are you GDPR compliant?

Coco is designed for GDPR compliance. Multi-region deployment is possible via AWS (US, EU, Asia). Contact us to discuss Data Processing Agreements (DPA) and specific compliance requirements.

Do you support HIPAA compliance for healthcare customers?

Coco is built on HIPAA-eligible AWS infrastructure. For healthcare customers with specific HIPAA requirements, contact us to discuss your compliance needs.

Is my code used to train AI models?

No. Your code and tests are never used to train AI models. We use enterprise-grade AI APIs with strict data processing agreements that prohibit training on customer data. Your intellectual property stays yours.

How long do you retain my data?

Your codebase is stored securely with read-only access for context-aware test generation. Code deleted on request—contact support. Generated tests and content are stored automatically. Audit logs retained for 90 days. For data export or deletion, contact support.

How do you handle data breaches or security incidents?

We have a comprehensive incident response plan with defined escalation procedures. Enterprise customers notified within 24 hours of any suspected security incident affecting their data. We maintain detailed audit logs and work with third-party forensic teams when necessary.

What encryption standards do you use?

AES-256-GCM encryption for data at rest, TLS 1.3 for data in transit. Secrets managed via AWS Secrets Manager (PCI DSS Level 1 compliant). All encryption keys rotated regularly and stored in AWS Key Management Service (KMS) with strict access controls.

How do you prevent cross-customer data access?

Multi-tenant data isolation implemented at database (row-level security) and application layers (tenant context enforcement). Every test generation runs in isolated, ephemeral Docker containers. Zero cross-customer data access enforced through encryption, RBAC, and network segmentation.