Skip to content
Cobay
Legal · Security

Security you can build on.

The practices, controls, and principles that protect your data on the Cobay platform.

Last updated · May 2026

01

Our Security Principles

Please note, by signing up to our services, you are automatically agreeing to our Security Policy.

Please note this agreement is valid for all users signed up after 27th May, 2026.

Security is foundational to how we build Cobay. Brands trust us with their order data, customer information, and operational backbone — and we take that responsibility seriously. This page summarizes the practices, controls, and principles that protect data on the Cobay platform. For specific commitments and obligations to our customers, please also see our Privacy Policy and Data Processing Addendum.

Defense in depth

We layer controls across infrastructure, application, and people, so no single failure exposes data.

Least privilege

Access is granted only when required and revoked when no longer needed.

Secure by default

New features ship with sensible defaults that prioritize security and privacy.

Continuous improvement

We treat security as ongoing work, not a one-time checklist.

02

Infrastructure Security

  • Trusted cloud providers. Cobay is hosted on industry-leading cloud infrastructure that maintains certifications such as ISO 27001, SOC 2, and others. Physical security of data centers is managed by the cloud provider.
  • Network isolation. Production systems are segmented from corporate and development environments.
  • Encryption in transit. All traffic to and from the Cobay platform is encrypted using TLS 1.2 or higher.
  • Encryption at rest. Sensitive data is encrypted at rest using industry-standard algorithms.
  • Backups. Customer data is backed up regularly. Backups are encrypted and access-controlled.
  • DDoS protection. We use network-level protections against denial-of-service attacks.
03

Application Security

  • Secure software development. Our engineering team follows secure coding practices, peer code review, and dependency scanning.
  • Authentication. Strong password requirements, session management, and support for multi-factor authentication (MFA) on user accounts.
  • Role-based access control. You can grant team members least-privilege access through built-in roles.
  • Audit logs. Key actions are logged so customers can review activity on their accounts.
  • Vulnerability management. We regularly scan dependencies and infrastructure for known vulnerabilities and patch them in line with severity.
04

Access Controls and Personnel

  • Need-to-know access. Cobay personnel access customer data only when necessary to operate the Services, deliver support, or comply with law.
  • Background checks. Employees go through standard onboarding checks where permitted by law.
  • Confidentiality agreements. All employees and contractors are bound by confidentiality obligations.
  • Security training. Employees receive security and privacy training appropriate to their role.
  • Offboarding. Access is revoked promptly when an employee or contractor leaves.
05

Monitoring and Incident Response

  • 24×7 monitoring. Production systems are continuously monitored for availability and security events.
  • Incident response plan. We have a defined process for detecting, containing, investigating, and resolving security incidents.
  • Customer notification. If a security incident affects your data, we will notify you in accordance with applicable law and our contractual commitments.
06

Data Protection

  • You own your data. Customer Data belongs to you. We process it on your behalf to deliver the Services, as described in our DPA.
  • Data isolation. Customer environments are logically separated.
  • Data retention and deletion. When you cancel, your data remains available for export for 30 days, after which we delete it on a defined schedule, subject to legal retention requirements.
  • Sub-processors. We work with a limited set of service providers. A current sub-processor list is available on request.
07

Compliance and Standards

We design our practices to align with:

  • Digital Personal Data Protection Act, 2023 (India)
  • Information Technology Act, 2000 (India) and rules thereunder
  • GDPR and ePrivacy principles where applicable
  • Industry security best practices, including OWASP guidelines

We are continuously investing in formal certifications and will update this page as new certifications are achieved.

08

Your Role in Security

Security is a shared responsibility. We protect the platform; you protect your account and team:

  • Use strong, unique passwords and enable MFA.
  • Grant team members only the access they need.
  • Review audit logs and user lists periodically.
  • Notify us immediately at security@cobay.com if you suspect unauthorized access to your account.
09

Reporting a Security Vulnerability

We welcome reports from security researchers and customers. If you believe you've found a vulnerability in the Cobay platform, please contact us at security@cobay.com with:

  • A description of the issue and how to reproduce it.
  • The potential impact.
  • Any supporting screenshots, logs, or proof of concept.

Please do not publicly disclose the issue until we have had a reasonable opportunity to investigate and remediate. We will acknowledge reports promptly and keep you informed of progress. We do not currently operate a paid bug bounty program, but we deeply appreciate responsible disclosure and will publicly acknowledge contributors where appropriate.

Cobay Technology Private Limited, 15-2, 15-3, Kovaipudur Road, Coimbatore 641042, Tamil Nadu, India. Security questions: security@cobay.com. Privacy questions: privacy@cobay.com.

Questions about this document

Write to us — a human reads every mail.

support@cobay.com