Security
Security and compliance at every layer
CLA records are legal artifacts. We treat the security of your contributor data with the same rigor your legal team expects from the records themselves.
Encryption in transit and at rest
TLS 1.3 for all data in transit. AES-256 encryption for stored CLA records. Private keys are never stored alongside encrypted data.
Built with SOC 2 controls in mind
Our architecture is designed around SOC 2 Type II control categories — availability, confidentiality, and security. Formal certification is on our roadmap. We are not SOC 2 certified today, and we won't claim otherwise.
Access controls
Role-based access, SSO support on Enterprise plan, audit log of all admin actions. Principle of least privilege enforced at the infrastructure level.
Data retention policy
CLA records retained per your org's configured retention period. GDPR-compliant deletion on request. Deleted records are purged from backups within 30 days.
Found a vulnerability? Tell us first.
We run a responsible disclosure program. If you discover a security vulnerability in Cohorto, please report it to us directly before public disclosure. We commit to:
- Acknowledge receipt within 48 hours
- Provide an initial severity assessment within 5 business days
- Coordinate a disclosure timeline that gives us reasonable time to patch before public notification
- Credit researchers who responsibly disclose (if desired)
To report a vulnerability, email [email protected] with the subject line "Security Disclosure". Please include a description of the issue, steps to reproduce, and your contact information.