← Chief of Staff AI

Trust & Security

How we protect your business.

You are sharing sensitive business context with CoS AI — decisions, team dynamics, financial signals, personal commitments. That trust is the foundation of this product. Here is exactly what we do to protect it.

Last updated: April 13, 2026 · Questions: security@chiefofstaffai.ai

The most important thing first.

Your conversations, decisions, and business context are never used to train any AI model — not ours, not Anthropic's. What you share with CoS AI stays in your account. It informs your responses. It never leaves to benefit anyone else. This is not a policy grey area. It is a hard architectural boundary.

Available now on request

GDPR Data Processing Agreement

In assessment — Q3 2026

HIPAA Business Associate Agreement

Planned — Q4 2026

SOC 2 Type II Audit

For GDPR DPA requests: security@chiefofstaffai.ai

Security controls

What is in place today and what is on the roadmap.

Encryption in transit

TLS 1.2+ on all connections

Live

OAuth token encryption at rest

AES-256 via server-side encryption key

Live

Database encryption

Neon PostgreSQL — encrypted at rest by default

Live

AI data isolation

Your data is never used to train any AI model

Live

Employee data access

No employee can read your conversations or context

Live

Authentication

OAuth 2.0 via Google / Microsoft — no passwords stored

Live

Session management

Signed, httpOnly cookies — no localStorage tokens

Live

Rate limiting

All AI and auth endpoints rate-limited

Live

SOC 2 Type II

Audit planned — Q4 2026

Planned

GDPR Data Processing Agreement

Available on request for EU-based subscribers

Partial

HIPAA Business Associate Agreement

In assessment — Q3 2026

Planned

Penetration testing

Scheduled pre-Q3 2026

Planned

Where your data lives

All user data — conversations, decisions, captures, calendar connections — is stored in the United States on Neon PostgreSQL infrastructure. We do not currently offer EU or regional data residency hosting. If your organisation has a data residency requirement, contact us before signing up so we can advise accurately.

Uploaded documents (PDFs, spreadsheets) are stored on the application server and processed in memory. Extracted text and AI summaries are stored in your account database. Raw files are retained until you delete them from your account.

AI model and your data

CoS AI uses Anthropic's Claude API to generate responses, briefs, and analysis. Under Anthropic's API usage policy, data sent via the API is not used to train Anthropic's models. This applies to all content you share with CoS AI.

Your business context — including priorities, decisions, team information, and health signals — is stored in your account and injected into AI requests as needed to generate personalised responses. This context is yours exclusively. It is not shared with other accounts. It is not used to improve responses for other users.

CoS AI does not currently use any fine-tuned model trained on data from its user base. If this changes, we will notify all subscribers and update this page before implementation.

Who can access your data

No CoS AI employee reads your conversations, decisions, or business context. There is no customer support portal that exposes user data. Access to the production database requires direct server credentials, limited to the founder and is audited.

Calendar and email access tokens are encrypted using a server-side key before storage. They are decrypted only at the moment of an API call and never written to logs. If you disconnect a calendar integration, the tokens are deleted immediately.

Third-party providers

Every provider we use is bound by data processing terms and selected for their security posture.

AnthropicAI inference (Claude)

Prompts are processed to generate responses and not retained for model training. Anthropic's API data policy explicitly prohibits using API traffic to train models.

Security documentation →
NeonPostgreSQL database (United States)

Your business context, decisions, and captures are stored in a managed PostgreSQL instance hosted in the United States. Neon encrypts data at rest and in transit.

Security documentation →
StripePayment processing

Billing and card data are handled exclusively by Stripe. CoS AI never sees or stores card numbers. Stripe is PCI DSS Level 1 certified.

Security documentation →
Google / MicrosoftOAuth login + Calendar + Gmail

Calendar and email access uses OAuth 2.0 scopes. Access tokens are encrypted before storage. You can revoke access at any time from your Google or Microsoft account settings.

Security documentation →

Compliance roadmap

SOC 2 Type IIAudit planned Q4 2026

Independent audit of security controls, availability, and confidentiality. The universal standard for enterprise SaaS.

GDPR — Data Processing AgreementAvailable on request now

EU-based subscribers can request a DPA that covers data processing scope, retention, and transfer safeguards. Email security@chiefofstaffai.ai.

HIPAA — Business Associate Agr.Assessment Q3 2026

Required for healthcare CEOs who share data adjacent to patient care. Technical and legal assessment underway.

Penetration testingScheduled pre-Q3 2026

Third-party security assessment of the application and infrastructure.

Your data rights

AccessRequest a full export of all data we hold about you. Delivered within 30 days.
CorrectUpdate or correct any inaccurate information in your account at any time.
DeleteRequest full deletion of your account and all associated data. Processed within 30 days. Billing records are retained for 7 years as required by law.
ExportTake your context with you. We will provide a structured export of your decisions, priorities, captures, and brief history.
RevokeDisconnect any integration (Google, Microsoft) at any time from Settings. Access tokens are deleted immediately upon disconnection.

To exercise any of these rights: privacy@chiefofstaffai.ai

Incident response

In the event of a security incident that affects your data, we will notify affected subscribers by email within 72 hours of becoming aware of the breach — consistent with GDPR requirements. Notification will include: what data was affected, what happened, what we have done, and what you should do.

Security questions

If you work in a regulated industry and have specific security or compliance requirements before signing up, reach out directly. We will give you an honest answer — not a marketing one.

security@chiefofstaffai.ai