GDPR
Policy alignedEU personal data handling commitments documented in our Privacy Policy and Data Processing Addendum.
Trust Center
coThink Trust Center
Security, privacy, and compliance documentation for vendor reviews. Policies, controls, subprocessors, and certification status in one place.
Compliance
View allCCPA / CPRA
Policy alignedCalifornia privacy rights and disclosures described in our Privacy Policy.
SOC 2 Type I
Readiness in progressPoint-in-time assessment of security control design.
SOC 2 Type II
RoadmapIndependent attestation of operating effectiveness of security controls over time.
HIPAA
PlanningHealthcare data handling support and BAA availability for eligible deployments.
ISO 27001
RoadmapInformation security management system certification.
Resources
View allLegal & Privacy
Security Documentation
Compliance
Compliance Roadmap
PublicCurrent controls, planned work, and certification status.
Subprocessors
PublicThird-party vendors that may process data on behalf of coThink.
SOC 2 Reports
Request when availableAudit reports when SOC 2 attestation is completed.
Controls
View allInfrastructure Security
- TLS 1.2+ enforced for client and API traffic
- HTTPS and HSTS on production application endpoints
- Infrastructure-layer encryption for persistent storage
Identity & Access
- Multi-factor authentication supported
- Passkeys (WebAuthn / FIDO2) supported
- Role-based access control for workspaces and administration
Application Security
- Security headers including content security policy
- CSRF protections on state-changing requests
- API rate limiting and input validation
Data & Privacy
- AES-256-GCM encryption for designated secrets and encrypted content
- Customer-controlled encrypted rooms (organization-managed and E2EE)
- Customer data export capabilities
AI Governance
- Bring Your Own Model — customer chooses AI providers
- Provider API keys encrypted at rest (AES-256-GCM)
- Customer Content not used to train third-party foundation models
Availability & Resilience
- Database backups with tested restore procedures
- Service health and error monitoring
- Incident response contact and reporting path
Implemented Planned
Subprocessors
View all| Vendor | Purpose | Category |
|---|---|---|
| Stripe | Billing | Payment processing |
| OpenRouter | Optional AI Routing | AI provider |
| OpenAI | Optional Customer AI Provider | AI provider |
| Anthropic | Optional Customer AI Provider | AI provider |
FAQ
View allWho owns my data?
You do. coThink does not claim ownership of your prompts, messages, files, notes, workspace content, or session artifacts.
Does coThink train AI models on my content?
coThink does not use Customer Content to train third-party foundation models through its platform-improvement processes.
Can coThink read encrypted rooms?
Not without the encryption keys. Decryption requires keys you control.
Can I export my data?
Yes. coThink supports data export capabilities so organizations can retrieve workspace content according to plan and configuration.
Updates
View all2026-06-24
Trust Center overhaul
Reorganized into Overview, Resources, Controls, Subprocessors, FAQ, and Updates. Added framework status cards, a control inventory, and grouped document links.
2026-06-23
Trust Center expansion
Added dedicated Trust Center pages for encryption, identity, infrastructure, application security, availability, and privacy. Published security.txt and expanded subprocessors list.
2026-06-23
Enterprise identity controls
SAML SSO service-provider flow, SCIM 2.0 user provisioning, and primary passkey sign-in are available for entitled organizations.