Trust, transparency, shared responsibility.

CobatOS is built on a layered model. Cobat.tech operates the control plane and the hosted product surface. Customers control their own data sources, model credentials, and the workflows they build on top of the platform. Some controls (such as MFA, role assignments, and integration scopes) are configured by the customer; others (such as transport encryption and tenant isolation) are operated by Cobat.tech.

Traffic to and from CobatOS uses TLS 1.3. Customer state is encrypted at rest using AES-256. Model keys, OAuth tokens, and API credentials are stored in an encrypted secrets vault and are never exposed to agents in raw form — agents receive short-lived, scoped tokens at execution time.

The control plane runs on managed cloud infrastructure. Customer data planes can be deployed in Cobat-hosted regions, the customer's own VPC, or fully on-premise on Enterprise plans. Region selection and residency commitments for regulated workloads are scoped during onboarding.

CobatOS supports role-based access control at the organization, team, and workflow level. Enterprise plans add SSO/SAML, SCIM provisioning, and dedicated tenant isolation. Internal Cobat.tech access to customer environments is restricted to named personnel and logged.

Customer prompts, memory writes, tool invocations, and workflow runs are stored to power replay and audit. Retention windows are configurable per workspace; default windows are documented in the Data Retention policy. Cobat.tech does not train models on customer data and does not sell customer data to third parties.

Security issues should be reported to security@cobat.tech. We acknowledge within 24 hours and aim to remediate critical issues within 72. Material security incidents that affect a customer's environment are communicated directly to the affected customer.

Cobat.tech is working toward independent attestations and will publish certificate details here once issued. Until then, this Trust Center reflects current app-visible controls and practices rather than third-party verification. For audit requests, NDA-gated security documentation, or DPA execution, contact security@cobat.tech.