co5
Request beta access
Security

How we handle
your data, your access, your trust.

Honest about where we are. Specific about how we got there. This page is updated as the program matures — last reviewed June 2026.

01
Where we are today

Compliance framework, in progress.

co5 is a pre-Series-A company in closed beta. We're operating to SOC 2 Type II controls today and pursuing formal certification in alignment with first-customer commitments. We'd rather tell you the truth about our timeline than chase a logo.

SOC 2 Type II
Controls in place. Audit window opens with first paying customer commitment.
GDPR
DPA available on request. EU sub-processor list maintained.
CCPA
Compliant. Right-to-delete and right-to-export honored within 30 days.
HIPAA
Not applicable. We do not process PHI.
ISO 27001
On the roadmap, not currently certified.
02
Data in motion, data at rest

Encrypted both ways. Backed up. Recoverable.

Everything moves over TLS 1.3 (TLS 1.2 minimum). Postgres volumes encrypted at rest with AES-256. Daily snapshots retained 30 days, weekly retained 12 months. Disaster-recovery procedures tested quarterly. No customer data leaves our managed infrastructure for analytics or training.

In transit
TLS 1.3 / TLS 1.2 minimum, HSTS enforced, modern cipher suites only.
At rest
AES-256 encryption on Postgres volumes and object storage.
Backups
Daily snapshots × 30 days, weekly × 12 months, cross-region replication.
Recovery
RPO ≤ 24h, RTO ≤ 4h, quarterly DR exercises.
Model training
Your data is never used to train models — ours or our providers'.
03
Sub-processors

The vendors behind the platform.

We deliberately stack on vendors with mature security programs — every sub-processor below is independently SOC 2 attested. Full list maintained on request; any new vendor that touches customer data is reviewed before onboarding and added here with notice.

Application hosting
Vercel (frontend) + Railway (backend, Postgres, Redis, worker queues).
Authentication
Clerk — SSO, MFA, SOC 2 Type II, OIDC + SAML support.
Payments
Stripe — PCI DSS Level 1, no card data touches our infrastructure.
LLM providers
Anthropic, OpenAI, Google, Together AI, DeepSeek — zero-retention contracts where available.
Email delivery
MailerSend — transactional only, no marketing-list reuse.
Observability
Vercel Analytics, Sentry (errors), structured logs in Railway.
04
Who can see what

Workspace isolation by default.

Every organization is a separately scoped tenant. Cross-tenant queries are blocked at the database layer, not just the application. Our internal access to customer data is role-gated, logged, and reviewed quarterly. Production access requires MFA + named-purpose justification.

Tenant isolation
Row-level + listener-enforced filters on every tenant-scoped table.
Customer SSO
Available via Clerk — Google, Microsoft, Okta, custom SAML.
MFA
Required for all internal staff. Available for customer end-users.
Role gating
Roles supported: owner, admin, analyst, viewer (varies by plan).
Audit logs
Significant actions written to scan_incidents (durable) — surfaced in /api/health.
Production access
MFA-required, named-purpose, time-bounded, logged.
05
Your data is yours

Export it. Delete it. Take it with you.

If you close your account, your data is purged within 30 days — including backups within 90. Carol's memory is operator-curated and exportable as JSON at any time (you'll find this under Settings → Memory in the product). We don't share customer data with third parties, don't sell it, don't reuse it for marketing.

Data export
Self-serve JSON export of org data; Carol memory exportable at any time.
Deletion request
Account purge within 30 days; backup expiry within 90.
Data residency
Primary region: us-east. EU residency available on request for SOC-2-customer plans.
Third-party sharing
None outside the sub-processors listed above.
DPA
Available on request — covers GDPR, CCPA, sub-processor list, breach notification.
06
What happens when something goes wrong

Detection, response, and notification.

The platform has internal self-healing for known failure modes (watchdogs, auto-remediation, audit trails — all documented in our architecture docs). For security incidents, our policy is to notify affected customers within 72 hours of confirmed impact, with a written post-mortem within 14 days. We run continuous monitoring on auth events, anomalous API patterns, and infrastructure health.

Incident response
On-call rotation; named incident commander; 72h customer notification on confirmed impact.
Vulnerability disclosure
security@co5.ai — responsible-disclosure policy on request.
Penetration testing
Annual third-party pen-test before SOC 2 audit window opens.
Bug bounty
Coming after SOC 2. In the interim, we respond to all disclosed findings within 5 business days.
Monitoring
/api/health probes + UptimeRobot watchdog + structured logs + per-org spend caps.
Questions or concerns

Talk to a human.

For security questions, DPA requests, or vulnerability reports, write to security@co5.ai. For enterprise procurement, the founders are reachable directly.

Email securityarrow_forwardRequest beta accessarrow_forward