Encryption & Keys
TLS, AES-256-GCM, organization-managed and end-to-end encrypted rooms.
Security
Security Overview
Authentication, encryption, access control, and monitoring.
Security Documentation
Detailed controls are organized by topic. Start with the overview below or jump to a focused page.
Identity & Access
Passkeys, SSO, RBAC, sessions, and SCIM provisioning.
Infrastructure
Environment separation, ingress hardening, and operator access.
Application Security
CSRF, CSP, dependency scanning, and secure SDLC practices.
Availability
Backups, monitoring, and incident response readiness.
Privacy
Data ownership, retention, export, and subprocessors.
Security Principles
Least Privilege
Access is scoped to roles, rooms, and administrative functions required for each user.
Defense in Depth
Layered controls across identity, network, application, and data layers.
Secure by Default
Sensible defaults for authentication, session handling, and workspace permissions.
Customer Control
Organizations configure providers, encryption modes, retention, and access policies.
Cryptographic Standards
Algorithms coThink uses and where they apply.
| Control | Algorithm / Standard | Application |
|---|---|---|
| Transport encryption | TLS 1.2+ (TLS 1.3 preferred) | All browser, API, and webhook traffic between clients and coThink services |
| Symmetric encryption | AES-256-GCM | Message content, provider API keys, organization chat keys, and other designated secrets at rest |
| Password hashing | bcrypt (cost factor 10) | Local account passwords; plaintext passwords are never stored |
| Key wrapping (E2EE rooms) | RSA-OAEP with SHA-256 (4096-bit keys) | Per-message AES content keys wrapped for each recipient public key |
| Authentication (passkeys) | WebAuthn / FIDO2 | Passwordless sign-in and multi-factor verification |
| Integrity | GCM authentication tags | Authenticated encryption for stored secrets and encrypted message envelopes |
Authentication
Sign-in Methods
- ✓ Passkeys (WebAuthn / FIDO2)
- ✓ Email and password (bcrypt-hashed)
- ✓ SSO via enterprise identity providers
Multi-Factor Authentication
- ✓ TOTP authenticator apps
- ✓ Email one-time codes
- ✓ Passkeys as a second factor
- ✓ Recovery codes for account recovery
Session Management
- ✓ HTTP-only session cookies
- ✓ Secure flag in production (HTTPS only)
- ✓ SameSite=Lax cookie policy
- ✓ Session invalidation on password change and sign-out
Platform Administration
- ✓ TLS required for platform admin authentication
- ✓ Separate elevated-access controls for super-admin operations
Access Control
Role-Based Access Control
Permissions are enforced at the organization, workspace, and room level. Administrative capabilities are separated from standard collaboration access.
Workspace Permissions
Room membership, invitation flows, and content visibility respect configured workspace and room policies.
Encryption Policy Controls
Authorized administrators can configure room encryption policies, including locking rooms to organization-managed or end-to-end encrypted modes.
Provider Credential Access
AI provider API keys are stored encrypted and are only decrypted server-side when required to fulfill authorized inference requests.
Encryption
Data in Transit
All connections between browsers, mobile clients, and coThink APIs use TLS. Production deployments enforce HTTPS and HTTP Strict Transport Security (HSTS) on the application tier.
Outbound connections to customer-configured AI providers, calendar systems, and other integrations are made over TLS. Customers should verify provider endpoint security as part of their vendor review.
Data at Rest
Application-Layer Encryption
Designated sensitive data is encrypted with AES-256-GCM before persistence. Each encryption operation uses a unique 96-bit initialization vector (IV) and an authentication tag to detect tampering.
- ✓ AI provider API keys
- ✓ Organization chat encryption key material
- ✓ Encrypted message ciphertext and envelopes
- ✓ Advisor calendar event cache payloads
Infrastructure
Database and persistent storage volumes rely on provider-managed encryption at the infrastructure layer, in addition to application-layer encryption for designated secrets and encrypted content.
Platform encryption keys are held in secure environment configuration and are not stored alongside encrypted data.
Encrypted Rooms
coThink supports two optional room encryption modes. Both use AES-256-GCM for message content; they differ in who holds the decryption keys.
Organization-Managed Encryption (ct-org-v1)
- ✓ 256-bit organization chat keys (generated or imported by the customer)
- ✓ AES-256-GCM with per-message nonces and authenticated associated data
- ✓ Associated data binds ciphertext to tenant, room, message, and key version
- ✓ Key rotation with versioned envelopes
- ✓ Organization key material stored encrypted at rest; server decrypts when the active org key is available
Suitable for organizations that want encrypted storage with server-side processing (AI inference, search, exports) on authorized content.
End-to-End Encrypted Rooms (ct-e2ee-v1)
- ✓ Per-user RSA-OAEP-256 key pairs (4096-bit modulus)
- ✓ Unique AES-256 content key per message, wrapped for each recipient
- ✓ Ciphertext stored server-side; coThink cannot decrypt without recipient private keys
- ✓ Private keys held client-side in session memory during use
For teams that need client-side keys. If private keys are lost, coThink cannot recover E2EE content.
Secrets Management
Provider API Keys
Customer-supplied AI provider credentials are encrypted with AES-256-GCM using a platform-held encryption key before database storage. API responses never return plaintext keys.
Organization Encryption Keys
Organization chat key material is fingerprinted (SHA-256) for identification and stored encrypted. Only authorized administrative flows can generate, import, or rotate keys.
Operational Secrets
Production secrets (encryption keys, database credentials, integration tokens) are supplied via secure environment configuration managed through infrastructure automation—not committed to source control.
Logging Redaction
Structured logging pipelines redact patterns matching API keys, tokens, passwords, encryption keys, and other sensitive fields before emission.
Monitoring & Incident Response
Audit Logging
Security-relevant actions—including authentication events, administrative changes, encryption policy updates, and key management operations—are recorded for review.
Security Monitoring
Operational telemetry supports detection of anomalous access patterns, failed authentication attempts, and service health degradation.
Operational Monitoring
Background workers, API services, and integration health are monitored to support availability and timely incident response.
Incident Response
Security issues can be reported through the Trust Center contact page. coThink investigates reported vulnerabilities and coordinates remediation according to severity.
Network & Application Security
- ✓ HTTPS enforced for production application endpoints
- ✓ HTTP Strict Transport Security (HSTS) on production web properties
- ✓ Security headers on the web application (content security policy, frame protections, and related controls)
- ✓ SSRF and TLS verification controls on outbound integration connectors
- ✓ Rate limiting and input validation on API endpoints
Procurement FAQ · Compliance roadmap · Report a security issue →