Security is built into how Cozmo works
Cozmo runs millions of conversations for regulated financial institutions. Protecting the data in those conversations isn't an add-on — it shapes how we encrypt data, control access, and choose the systems we build on.
Compliance & frameworks
Our SOC 2 Type II audit is underway. We're happy to share our current status, roadmap, and available reports with prospects and customers under NDA.
An independent SOC 2 Type II examination is in progress. Status updates and, once available, reports are shared on request under NDA.
We align our processing with the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data, as set out in our Data Protection Standard.
CozmoX AI Ltd is incorporated in the Abu Dhabi Global Market and complies with its obligations under the ADGM Data Protection Regulations 2021.
How we think about security
A small set of principles guides every decision — from how we grant access internally to how we design the platform our customers rely on.
Access to customer data is limited to the people who need it to do their jobs, granted narrowly and revoked promptly on role change or departure.
Encryption, network segmentation, monitoring, and vendor controls layer together so no single safeguard is the only thing standing between data and risk.
The same safeguards apply across our services and environments rather than being bolted on for individual deployments.
We treat security as a practice that matures over time, tightening controls and adding assurance — including our in-progress SOC 2 program.
Protecting your data end to end
Customer data is encrypted in transit and at rest, and access to it is tightly controlled — internally and across the systems that deliver the service.
Customer data stored by the service is encrypted at rest using industry-standard methods.
Data moving between clients, our services, and our processing providers is encrypted in transit using industry-standard transport security.
Role-based, least-privilege access with unique user IDs and multi-factor authentication for administrative access. Access is removed promptly when it is no longer needed.
Personnel with access to customer data are bound by confidentiality obligations and receive security and privacy training.
Building and running the platform securely
Security controls run through how we build software, operate infrastructure, and respond when something goes wrong.
Secure development practices and vulnerability management are part of how we ship, alongside a segmented network architecture, firewalls, and monitoring.
Audit logging and security monitoring give us visibility into access and activity across our environments.
Data backup, redundancy, and disaster-recovery processes are designed to keep the service available and data durable.
We maintain an incident-response process and notify affected customers of material security incidents within a reasonable period after confirmation.
Sub-processors are engaged under due diligence and contractual data-protection obligations. A current sub-processor list is available on request.
Where a data-residency option is available for a jurisdiction, customers may request that data be hosted there, subject to availability.
Privacy, transparently documented
Our data-handling commitments are written down. Review them directly, or reach out for a counter-signed DPA and other procurement documents.
Reviewing Cozmo for security?
We're glad to walk your team through our controls, complete a security questionnaire, share our SOC 2 status, or provide a DPA for procurement.
Contact us at carehub@hellocozmo.ai