CopilotZone Security Practices
This page describes CopilotZone's security posture, data handling approach, and what you should know before submitting training data to the Service.
- HTTPS enforced on all connections (HSTS preloaded)
- Hosted on shared LiteSpeed hosting with perimeter controls
- Regular automated backups of database and files
- File permissions locked on public HTML (644) and critical pages
- Monitoring for unauthorized file changes
- Signed session cookies; CSRF protection on all write operations
- Authenticator-app MFA required for administrative/high-privilege accounts
- Role-based access control (learner, admin, HR, system admin)
- Login rate limiting to defend against brute force
- Organization-scoped data isolation between customer accounts
- Audit logs for admin actions and access events
- Personal data limited to account, training, and billing purposes
- No selling or sharing of personal data for advertising
- Data retention follows operational and legal requirements
- Custom document uploads processed only for training conversion
- PHI / sensitive regulated data prohibited without signed BAA
- Incident response procedure for suspected breaches
- Security contact: hello@copilotzone.com
- Minimal necessary employee access to production systems
- File change monitoring with baseline + permission tracking
- Atomic deploys with pre-deploy integrity verification
What data you should and should not submit
If your organization requires HIPAA, PCI DSS, SOC 2, or other specific compliance arrangements, contact us before submitting sensitive content. We will evaluate whether appropriate technical and organizational measures can be established and provide written confirmation of any applicable agreements.
Subprocessors and third-party services
CopilotZone uses the following third-party services in connection with operating the platform:
- Hosting infrastructure — Shared LiteSpeed hosting environment for web serving, file storage, and database.
- Content delivery — Built-in CDN and caching for training audio and static assets.
- AI processing services — Local and cloud-based AI models used to generate training audio and convert documents into training content.
- Email delivery — Platform email for transactional messages, notifications, and support responses.
- Web fonts and frontend libraries — Google Fonts (Inter) and Tailwind CSS for the user interface.
We do not maintain a formal subprocessor list at this time. Subprocessors are used on an as-needed operational basis. Contact us if you need specific subprocessor disclosures for a vendor security review.
Data residency and geographic availability
Customer data is stored and processed on servers in the United States. CopilotZone currently provides the Service to customers in the United States only.
CopilotZone does not currently offer the Service to customers located in the European Union, European Economic Area, or United Kingdom. If your organization is located outside the United States or requires EU/UK data protection terms, contact us before using the Service or submitting personal data.
Security questionnaires and audits
We recognize that customers — particularly those in regulated industries — may request security documentation as part of their vendor evaluation process. We can provide:
- This Security page as a public overview of our practices
- Responsive answers to standard vendor security questionnaires (VSA, SIG, CAIQ, etc.)
- Information about our hosting environment, access controls, and data handling approach
Formal third-party penetration tests, SOC 2 Type II reports, or ISO 27001 certifications are not currently available. Contact us if your procurement or compliance process requires formal attestation — we will work with you to determine what is practical given our current stage.
Incident response
If you become aware of or suspect a security incident, data breach, or unauthorized access involving the CopilotZone platform:
- Contact us immediately at hello@copilotzone.com with a description of the suspected incident.
- We will acknowledge receipt within one business day and begin investigating.
- If a confirmed breach involves personal information, we will notify affected organizations as required by applicable law.
- We will provide a post-incident summary describing the scope, actions taken, and remediation steps.
Changes to this security page
This page may be updated to reflect changes in our security practices, infrastructure, or data handling approach. The current version will always be available at copilotzone.com/security.html.
Contact
For security questions, data handling concerns, vendor questionnaire requests, or to discuss specific compliance requirements, contact:
Email: hello@copilotzone.com
We aim to respond to security and compliance inquiries within two business days.