Trust FAQ

You do. coThink does not claim ownership of your prompts, messages, files, notes, workspace content, or session artifacts.

coThink does not use Customer Content to train third-party foundation models through its platform-improvement processes.

Not without the encryption keys. Decryption requires keys you control.

Yes. coThink supports data export capabilities so organizations can retrieve workspace content according to plan and configuration.

Any supported provider you choose. coThink is the collaboration layer—you connect OpenAI, Anthropic, Google, OpenRouter, Azure OpenAI, or other supported providers and control those relationships directly.

No. coThink does not sell Customer Content.

Yes. Bring Your Own Model (BYOM) lets you connect your own providers, choose models, and pay providers directly. coThink provides the workspace and collaboration layer.

Loss of encryption keys may result in permanent loss of access to encrypted content. coThink may be unable to recover encrypted room data without customer-controlled keys.

Workspace administrators can access audit-oriented records and administrative visibility according to role permissions and plan capabilities. Encrypted room content remains inaccessible without required keys.

Provider API keys are encrypted with AES-256-GCM before database storage using a platform-held encryption key. API responses never return plaintext keys. Access is restricted through role-based controls and administrative policies.

coThink uses TLS 1.2+ (TLS 1.3 preferred) for data in transit, AES-256-GCM for symmetric encryption at rest, bcrypt (cost factor 10) for password hashing, and RSA-OAEP-256 (4096-bit) for wrapping per-message keys in end-to-end encrypted rooms. Passkeys use WebAuthn / FIDO2.

Organization-managed rooms (ct-org-v1) use a customer-controlled 256-bit organization chat key. Messages are encrypted with AES-256-GCM and the server can decrypt when the active org key is available—supporting AI inference and exports. End-to-end encrypted rooms (ct-e2ee-v1) wrap per-message AES keys with recipient RSA public keys; ciphertext is stored server-side but coThink cannot decrypt without client-held private keys.