Skip to main content

Trust Centre

Security, Privacy, and Operational Assurance

Rochelle Sanderson avatar
Written by Rochelle Sanderson
Updated over 2 months ago

Overview

Cotiss operates a controlled, auditable, and resilience-focused environment designed to safeguard customer data and sustain operational continuity. This Trust Center consolidates key operational assurances, security controls and data governance expectations.

Data Handling Model

Cotiss processes customer data solely to deliver core platform capabilities, optimise product performance, and fulfil contractual requirements. Customer data is not used for marketing or external model training. See our AI Security and Compliance and our Privacy Policy

Data Types

  • User identity information (names, emails, job titles, phone numbers)

  • Procurement documentation including vendor artefacts

  • Application metadata, behavioural analytics, logs

  • No sensitive categories of data are required for platform operation

Customer Responsibilities

  • Customers retain responsibility for the accuracy, legality, and acquisition of rights for all uploaded content.

  • Customers must maintain lawful usage of the platform and comply with referenced Cotiss policies.

Security Architecture

Cotiss maintains a SOC 2 Type II audited security program with layered controls.

Encryption

  • AES-256 encryption at rest for documents

  • TLS 1.2+ encryption in transit

  • AWS KMS-managed keys with automatic rotation

  • No staff access to raw encryption keys

Access Management

  • RBAC with least-privilege enforcement

  • MFA, VPN, segmented network layers

  • Endpoint detection and response

  • Comprehensive audit logging across privileged actions

Application & Infrastructure Security

  • Continuous SIEM monitoring and alerting

  • Annual independent penetration testing

  • Secure SDLC, code review, dependency scanning

  • Device hardening (Mosyle MDM, FileVault, authentication enforcement)

Resilience & Continuity

  • Documented and tested DR/BCP frameworks

  • Redundant infrastructure, resilient AWS architecture

  • Secure media sanitisation processes

Personnel Controls

  • Background checks

  • Enforced onboarding/offboarding access workflows

  • Annual security and privacy training

  • Data classification standards

Subprocessors & Service Dependencies

Cotiss uses vetted third-party providers to deliver infrastructure, observability, and support services as of 1st December 2025. For an updated list please contact your account manager or sales representative.

Infrastructure & AI

  • Amazon Web Services

  • Open AI

Support & CRM

  • Intercom

  • HubSpot

Monitoring & Diagnostics

  • Sentry

  • New Relic

  • PagerDuty

  • AWS CloudTrail and CloudWatch

All service providers are contractually required to maintain appropriate security controls. Cotiss updates customers on material Subprocessor changes.

Rights, Response and Transparency

Export Rights

  • Customers may export their content at any time during the subscription.

  • A 30-day post-termination export window is available.

Incident Response

Cotiss maintains a formal incident response plan including escalation, investigation, and communication protocols.

If a confirmed security incident involves customer data, Cotiss provides:

  • A summary of the incident

  • Estimated scope and impact

  • Mitigation and remediation steps

  • Follow-up details as investigations progress

Cotiss operates a continuous improvement cycle after all incidents.

Transparency & Assurance

Cotiss provides:

  • SOC 2 Type II attestation

  • Security documentation sets

  • Architectural summaries

  • Responses to security questionnaires

Governance & Policy Alignment

Cotiss aligns practices with recognised industry frameworks for confidentiality, security, and availability. Annual independent audits validate control effectiveness.

Did this answer your question?