Newsletter

Stay up to date with our news, ideas and updates

Get Started

Cocopipe Security & Compliance Overview

Last Updated: 11/11/2025

At Cocopipe OÜ (“Cocopipe”, “we”, “our”, or “us”), we take the protection of our customers’ data and the security of our systems seriously.

This Security & Compliance Overview describes our key technical, organizational, and procedural measures to safeguard information processed through the Cocopipe App and cocopipe.com.

This document complements the Privacy Policy, Data Processing Addendum (DPA), and Service Level Agreement (SLA).

1. Data Center & Infrastructure Security

  • Cocopipe’s production systems are hosted in EU-based data centers, managed by reputable cloud providers (such as AWS or an equivalent EU provider).
  • All data centers meet ISO 27001, SOC 2, or equivalent international security standards.
  • Data is replicated across multiple availability zones for high availability and disaster recovery.
  • Physical access to data centers is strictly controlled using biometric and electronic access systems.

2. Data Encryption

  • In Transit: All data transmitted between user devices and Cocopipe servers is encrypted using TLS 1.2 or higher.
  • At Rest: All databases, backups, and files are encrypted using AES-256 encryption.
  • Encryption keys are managed securely and rotated according to industry best practices.

3. Access Control & Authentication

  • Access to production systems is restricted to authorized personnel only, using role-based access control (RBAC).
  • All administrative actions are logged and reviewed.
  • Two-factor authentication (2FA) is required for internal access to administrative environments.
  • Customers can enable MFA (multi-factor authentication) within their Cocopipe accounts.

4. Network & Application Security

  • Firewalls, intrusion detection, and automated threat monitoring are implemented across all environments.
  • Regular vulnerability scans and penetration tests are conducted.
  • Security patches and updates are applied promptly following vendor releases.
  • Cocopipe employs a zero-trust architecture approach for internal systems.

5. Data Protection & Privacy Compliance

  • Cocopipe complies with the EU General Data Protection Regulation (GDPR) and relevant Estonian data protection laws.
  • Cocopipe acts as a data processor for Customer Data and as a data controller for account and billing information.
  • A dedicated Data Protection Officer (DPO) oversees compliance, audit readiness, and incident response.
  • Customer data is never sold or shared with third parties without legal basis or consent.

6. Monitoring, Logging & Incident Response

  • All access to systems, APIs, and data is logged and monitored for anomalies.
  • Logs are retained for at least 12 months and protected against tampering.
  • In the event of a security incident or breach:
    • Cocopipe will notify affected customers and authorities within 72 hours, where feasible.
    • Incident response procedures include containment, investigation, and remediation steps.

7. Backup & Disaster Recovery

  • Automated encrypted backups are performed daily and retained for up to 90 days.
  • Backup data is stored separately within EU-based environments.
  • Disaster recovery procedures are tested periodically to ensure service continuity.

8. Vendor & Subprocessor Management

  • Cocopipe engages subprocessors (e.g., hosting, analytics, payment processors) that meet security and compliance standards equivalent to ours.
  • All subprocessors are subject to GDPR-compliant Data Processing Agreements.
  • The current list of subprocessors is maintained at https://cocopipe.com/subprocessors.

9. Employee Security & Training

  • All employees and contractors undergo background verification and security awareness training.
  • Confidentiality agreements are mandatory.
  • Access to data and systems follows the principle of least privilege (PoLP).

10. Compliance Framework

Cocopipe aligns its security program with internationally recognized frameworks and best practices:

  • ISO/IEC 27001 Information Security Management
  • SOC 2 Type II (or equivalent control framework)
  • GDPR Articles 28, 32, and 35 compliance principles
  • Regular internal and external audits to assess compliance

11. Responsible Disclosure

We welcome reports of security vulnerabilities.

If you discover a potential issue, please contact our security team:
📧 [email protected]

Reports are reviewed promptly, and valid findings may be acknowledged publicly once resolved.

12. Updates to this Policy

Cocopipe may periodically update this Security Overview to reflect evolving practices, technologies, or compliance requirements.

The current version is always available at https://cocopipe.com/security.

13. Contact

For questions about security or compliance:
📧 [email protected]
📍 Registered address: [To be added – Tallinn, Estonia]

References: