Security & Trust

Security is built into how Cozmo works

Cozmo runs millions of conversations for regulated financial institutions. Protecting the data in those conversations isn't an add-on — it shapes how we encrypt data, control access, and choose the systems we build on.

Request security details Read our DPA

Compliance & frameworks

Our SOC 2 Type II audit is underway. We're happy to share our current status, roadmap, and available reports with prospects and customers under NDA.

Underway
SOC 2 Type II

An independent SOC 2 Type II examination is in progress. Status updates and, once available, reports are shared on request under NDA.

Aligned
UAE PDPL

We align our processing with the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data, as set out in our Data Protection Standard.

Committed
ADGM Data Protection

CozmoX AI Ltd is incorporated in the Abu Dhabi Global Market and complies with its obligations under the ADGM Data Protection Regulations 2021.

Governance

How we think about security

A small set of principles guides every decision — from how we grant access internally to how we design the platform our customers rely on.

Least privilege by default

Access to customer data is limited to the people who need it to do their jobs, granted narrowly and revoked promptly on role change or departure.

Defense in depth

Encryption, network segmentation, monitoring, and vendor controls layer together so no single safeguard is the only thing standing between data and risk.

Controls applied consistently

The same safeguards apply across our services and environments rather than being bolted on for individual deployments.

Continuous improvement

We treat security as a practice that matures over time, tightening controls and adding assurance — including our in-progress SOC 2 program.

Data protection

Protecting your data end to end

Customer data is encrypted in transit and at rest, and access to it is tightly controlled — internally and across the systems that deliver the service.

Encryption at rest

Customer data stored by the service is encrypted at rest using industry-standard methods.

Encryption in transit

Data moving between clients, our services, and our processing providers is encrypted in transit using industry-standard transport security.

Access control

Role-based, least-privilege access with unique user IDs and multi-factor authentication for administrative access. Access is removed promptly when it is no longer needed.

People & confidentiality

Personnel with access to customer data are bound by confidentiality obligations and receive security and privacy training.

Platform & infrastructure

Building and running the platform securely

Security controls run through how we build software, operate infrastructure, and respond when something goes wrong.

Secure development

Secure development practices and vulnerability management are part of how we ship, alongside a segmented network architecture, firewalls, and monitoring.

Logging & monitoring

Audit logging and security monitoring give us visibility into access and activity across our environments.

Resilience & recovery

Data backup, redundancy, and disaster-recovery processes are designed to keep the service available and data durable.

Incident response

We maintain an incident-response process and notify affected customers of material security incidents within a reasonable period after confirmation.

Vendor management

Sub-processors are engaged under due diligence and contractual data-protection obligations. A current sub-processor list is available on request.

Data residency

Where a data-residency option is available for a jurisdiction, customers may request that data be hosted there, subject to availability.

Reviewing Cozmo for security?

We're glad to walk your team through our controls, complete a security questionnaire, share our SOC 2 status, or provide a DPA for procurement.

Contact us at carehub@hellocozmo.ai

Ready to see Cozmo AIhandle real operations?

We’ll open up a real workflow and show you exactly what happens with voice, documents, decisions and system updates.

Book a demo