Secure by design

Cocodly integrates with modern identity: SAML and OIDC through providers like Okta, Azure AD, and Google where your plan supports it. SCIM-style automated provisioning and deprovisioning is on our enterprise roadmap. Permissions are role-based and enforced server-side across viewing, editing, approving, and publishing—so the UI never becomes the source of truth for authorization.

Editing, approval, and publishing are modeled as separate capabilities. Public access is controlled by role and environment settings so teams can move quickly without risking accidental exposure.

Secrets are encrypted at rest and access-controlled by role. They are not exposed in plaintext in logs or the product. Access is limited to authorized environments and actions you configure.

Cocodly Cloud supports regional hosting commitments for the EU, US, and Australia on eligible contracts. Customer data remains in the region you select and does not move across regions by default. We maintain transparency about infrastructure and subprocessors so you always know where data lives and how it is handled.

We do not use customer prompts, code, or workspace data to train Cocodly-owned models. When we work with AI vendors, contractual agreements restrict training and retention of customer data. Your work stays yours.

Each workspace and project is logically separated. Customer data is not accessible across accounts. Environment boundaries are explicitly evaluated before changes are published, keeping development and production distinct.

Cocodly monitors platform activity for misuse, anomalous behavior, and compromise. Automated systems enforce rate limits and detect abuse across users and workspaces; high-risk activity is reviewed by our trust and safety team.

Generated code, dependencies, and configurations are checked for common vulnerabilities and unsafe defaults where applicable. Findings are triaged by severity and surfaced before deployment guidance. Independent security testing and periodic assessments strengthen our controls over time.

Cocodly Cloud is protected by web application firewall (WAF) controls, network isolation, encrypted data storage, and adaptive rate limiting at the IP, user, and workspace level.

If you are preparing for SOC 2, ISO 27001, or investor diligence, we can provide documentation describing how Cocodly secures the builder, your data, and exports. Email security@cocodly.com with Founder security / diligence pack in the subject line.

For a readable walkthrough of what investors look for in technical due diligence—and how to pass it when your frontend ships from AI-assisted workflows—start with our Help center.

Automated checks cover schema validation, dependency hygiene, and unsafe patterns in generated projects—continuously as you build and before you publish. Pair that with your own CI for defense in depth.

Formal attestations take time. We align engineering and documentation with SOC 2 Type II, GDPR, and ISO 27001 expectations and are on a published roadmap. Ask security@cocodly.com for the latest evidence pack—badges on our marketing site indicate direction, not a guarantee of current certification.