Security

Encryption & Key Management

How coThink protects data in transit, at rest, and in encrypted rooms.

Data in transit

All browser, API, and integration traffic uses TLS 1.2 or higher (TLS 1.3 preferred).
HTTP Strict Transport Security (HSTS) is enabled on production endpoints.

Data at rest

Designated secrets and encrypted content use AES-256-GCM application-layer encryption.
Infrastructure volumes use provider-managed encryption.

Secret management

Provider API keys, OAuth tokens, and organization encryption key material are encrypted before storage.
Platform encryption keys are held in secure environment configuration separate from ciphertext.

Encrypted rooms

Organization-managed (`ct-org-v1`) and end-to-end (`ct-e2ee-v1`) room modes use AES-256-GCM for message content.
E2EE rooms wrap per-message keys with RSA-OAEP-256 (4096-bit). Private keys are never uploaded.