B2B Data Security & Compliance Statement

01

Technical abstraction methodology

Cocoshede is designed to decouple corporate reality from the sensitive data normally associated with enterprise architecture reviews. The system asks the user to describe the shape of the operating environment, not to expose the environment itself.

The intake model converts business context into structural configuration categories such as data class, hosting posture, system type, workflow volume band, department ownership, AI maturity, security posture, and bottleneck category. These abstractions are sufficient to generate a strategic AI adoption map without requiring access to underlying production assets.

• No production network keys are required.
• No API passwords, OAuth grants, database credentials, SSH keys, or private keys are requested.
• No proprietary codebases, repository access, internal documents, source files, customer records, invoices, contracts, or emails are required.
• No customer-specific vector index is created from private corporate files during the self-serve blueprint process.

02

LLM gateway guardrails

Cocoshede routes only abstract configuration payloads to inference components. The permitted payload is limited to business categories, selected options, operational labels, and sanitized high-level descriptions. Users are instructed not to submit sensitive operational data, personal data, credentials, raw files, or proprietary code.

Where enterprise LLM API endpoints are used, Cocoshede configures the available zero-data-retention, no-training, and data-isolation controls supported by the provider and account tier. User technical descriptions are not intentionally retained by Cocoshede for third-party model tuning, global model optimization, or cross-customer retrieval.

Generated outputs are stored as customer workspace artifacts so the user can access the purchased report. They are not used to train a public model or made available to other customers.

03

Encryption and transport security

Cocoshede requires encrypted transport for application traffic. In production, browser-to-application and application-to-provider communication should be served over HTTPS using modern TLS configurations, with TLS 1.3 preferred where supported by the hosting stack and client environment.

Configuration data, workspace records, generated blueprint payloads, audit events, payment-unlock state, and report access events are stored in managed PostgreSQL database infrastructure with encryption at rest. Database-node encryption is expected to use AES-256 or provider-equivalent encryption standards according to the selected cloud provider's managed database controls.

04

Data minimization and retention posture

The service is intentionally scoped to collect the minimum information needed to produce a strategy-grade enterprise AI blueprint. The platform's value comes from mapping structural parameters, not from ingesting sensitive datasets.

Operational telemetry is limited to service reliability, abuse prevention, auditability, payment confirmation, report access, and product-quality feedback. Cocoshede does not need persistent raw business records because the self-serve product does not request them.

05

Security officer review summary