Security Policy

Please note, by signing up to our services, you are automatically agreeing to our Security Policy.

Please note this agreement is valid for all users signed up after 27th May, 2026.

Download Security Policy
Security Policy illustration

Security Policy

Last updated: 27 May 2026
Security is foundational to how we build Cobay. Brands trust us with their order data, customer information, and operational backbone — and we take that responsibility seriously. This page summarizes the practices, controls, and principles that protect data on the Cobay platform. For specific commitments and obligations to our customers, please also see our Privacy Policy and Data Processing Addendum.

01 Our Security Principles

Defense in depth

We layer controls across infrastructure, application, and people, so no single failure exposes data.

Least privilege

Access is granted only when required and revoked when no longer needed.

Secure by default

New features ship with sensible defaults that prioritize security and privacy.

Continuous improvement

We treat security as ongoing work, not a one-time checklist.

02 Infrastructure Security

  • Trusted cloud providers. Cobay is hosted on industry-leading cloud infrastructure that maintains certifications such as ISO 27001, SOC 2, and others. Physical security of data centers is managed by the cloud provider
  • Network isolation. Production systems are segmented from corporate and development environments
  • Encryption in transit. All traffic to and from the Cobay platform is encrypted using TLS 1.2 or higher
  • Encryption at rest. Sensitive data is encrypted at rest using industry-standard algorithms
  • Backups. Customer data is backed up regularly. Backups are encrypted and access-controlled
  • DDoS protection. We use network-level protections against denial-of-service attacks

03 Application Security

  • Secure software development. Our engineering team follows secure coding practices, peer code review, and dependency scanning
  • Authentication. Strong password requirements, session management, and support for multi-factor authentication (MFA) on user accounts
  • Role-based access control. You can grant team members least-privilege access through built-in roles
  • Audit logs. Key actions are logged so customers can review activity on their accounts
  • Vulnerability management. We regularly scan dependencies and infrastructure for known vulnerabilities and patch them in line with severity

04 Access Controls and Personnel

  • Need-to-know access. Cobay personnel access customer data only when necessary to operate the Services, deliver support, or comply with law
  • Background checks. Employees go through standard onboarding checks where permitted by law
  • Confidentiality agreements. All employees and contractors are bound by confidentiality obligations
  • Security training. Employees receive security and privacy training appropriate to their role
  • Offboarding. Access is revoked promptly when an employee or contractor leaves

05 Monitoring and Incident Response

  • 24×7 monitoring. Production systems are continuously monitored for availability and security events
  • Incident response plan. We have a defined process for detecting, containing, investigating, and resolving security incidents
  • Customer notification. If a security incident affects your data, we will notify you in accordance with applicable law and our contractual commitments

06 Data Protection

  • You own your data. Customer Data belongs to you. We process it on your behalf to deliver the Services, as described in our DPA
  • Data isolation. Customer environments are logically separated
  • Data retention and deletion. When you cancel, your data remains available for export for 30 days, after which we delete it on a defined schedule, subject to legal retention requirements
  • Sub-processors. We work with a limited set of service providers. A current sub-processor list is available on request

07 Compliance and Standards

We design our practices to align with:

  • Digital Personal Data Protection Act, 2023 (India)
  • Information Technology Act, 2000 (India) and rules thereunder
  • GDPR and ePrivacy principles where applicable
  • Industry security best practices, including OWASP guidelines

We are continuously investing in formal certifications and will update this page as new certifications are achieved.

08 Your Role in Security

Security is a shared responsibility. We protect the platform; you protect your account and team:

  • Use strong, unique passwords and enable MFA
  • Grant team members only the access they need
  • Review audit logs and user lists periodically
  • Notify us immediately at security@cobay.com if you suspect unauthorized access to your account

09 Reporting a Security Vulnerability

We welcome reports from security researchers and customers. If you believe you've found a vulnerability in the Cobay platform, please contact us at security@cobay.com with:

  • A description of the issue and how to reproduce it
  • The potential impact
  • Any supporting screenshots, logs, or proof of concept

Please do not publicly disclose the issue until we have had a reasonable opportunity to investigate and remediate. We will acknowledge reports promptly and keep you informed of progress. We do not currently operate a paid bug bounty program, but we deeply appreciate responsible disclosure and will publicly acknowledge contributors where appropriate.

Cobay Technology Private Limited 15-2, 15-3, Kovaipudur Road
Coimbatore 641042, Tamil Nadu, India
Security questions
security@cobay.com
Privacy questions
privacy@cobay.com