Security at Coconut.
Security is built into how we design, develop, and operate our platform. We know our customers trust us with sensitive business data, and we take that responsibility seriously.
Architecture
Defense-in-depth
Rather than relying on any single control, we use multiple complementary safeguards to reduce risk, limit the impact of threats, and strengthen resilience across our platform.
Infrastructure
Segmented environments, encrypted backups, automated compliance
Application
Secure coding, peer review, automated testing, dependency management
Identity
RBAC, MFA, least privilege, centralized identity management
Data
AES-256 at rest, TLS 1.2+ in transit, managed key rotation
Engineering
Secure by design
Security is embedded throughout our product lifecycle, from architecture and development to deployment and support.
Infrastructure
Cloud infrastructure
Hosted on Amazon Web Services (AWS), leveraging enterprise-grade infrastructure security.
- Segmented environments
- Infrastructure-as-Code
- Network isolation
- Continuous monitoring
- Encrypted backups
- Automated compliance checks
Data protection
Encryption
Strong encryption everywhere
- TLS 1.2+ for data in transit
- AES-256 encryption at rest
- Managed secrets and key rotation
Access control
Tightly controlled access
- Role-Based Access Control (RBAC)
- Multi-factor authentication (MFA)
- Least privilege principles
- Centralized identity management
- Audit logging for privileged actions
- Regular access reviews
Monitoring
Active threat detection
- Continuous infrastructure monitoring
- Vulnerability scanning
- Security event logging
- Incident response procedures
- Business continuity planning
Assurance
Continuous assurance
Coconut carries out continuous assurance through periodic exercises and automated compliance monitoring.
- Secure vendor management
- Regular penetration testing
- Internal security reviews
Security documentation and assurance artifacts can be provided to customers under NDA where appropriate.
Training
Security education
All employees
Comprehensive security training on onboarding and annually, plus regular threat briefings from the security team.
Engineers
Dedicated live onboarding sessions focused on secure coding principles and practices.
Disclosure
Responsible disclosure
We welcome reports from security researchers and customers. If you believe you've discovered a security issue, please contact us. We will investigate all legitimate reports promptly.
Privacy
Customer data remains customer data.
We do not sell customer data, and we apply strict controls over how data is accessed, processed, and retained.
Questions about security?
We're happy to walk through our security practices, share documentation, or answer specific questions from your team.
