Legal

Security

Effective April 30, 2026 · Last updated April 30, 2026

Coppice handles construction estimates, lead pipelines, calendar invites, and customer communications - data that runs your business. This page describes the controls we have in place to keep that data safe and the practices we follow when something goes wrong.

1. Encryption

  • In transit: All traffic between your browser, the Coppice iOS / desktop app, and our servers is encrypted with TLS 1.2 or higher. HTTP requests are redirected to HTTPS and HSTS is enforced on all production hostnames.
  • At rest: Tenant databases live on encrypted volumes. Sensitive credentials (OAuth refresh tokens, API keys, third-party secrets) are stored in a per-tenant key vault and encrypted with AES-256-GCM using a separate vault encryption key.
  • Backups: Daily automated database backups are encrypted and retained off-host with the same encryption posture as the live data.

2. Tenant Isolation

  • Each customer workspace runs against its own isolated SQLite database file. Cross-tenant queries are not possible at the storage layer.
  • Tenant context is enforced at every request via async-local-storage, scoped to the authenticated user's workspace; the application layer rejects requests that cross workspace boundaries.
  • Files, meeting transcripts, leads, agent runs, and emails are all keyed to a single tenant id and never co-mingled.

3. Authentication & Access Control

  • Sign-in: Google OAuth is the primary authentication method. We never see or store your Google password. Apple sign-in is supported on iOS.
  • Account locking: Once an account is connected to a Google identity, future sign-ins are locked to that identity. Switching identities requires admin action.
  • Session tokens: JWT access tokens are short-lived; refresh tokens are scoped to a single tenant and revocable from the dashboard.
  • Role-based permissions: Admin, member, and viewer roles gate access to settings, billing, integrations, and audit logs.
  • Third-party OAuth: Connecting Google Workspace, Microsoft 365, or other services never auto-creates Coppice accounts. Authentication and provisioning are separate paths.

4. Data Handling by AI Models

  • Customer data sent to AI providers (Anthropic, OpenAI, and others Coppice uses to power agent features) is processed under zero-retention or no-training agreements where the provider supports them.
  • AI providers do not use your data to train their models.
  • Where AI conversation logs are retained for product improvement, retention is per-tenant and you can request deletion of specific conversations at any time.

5. Infrastructure

  • Production runs on dedicated VPS hosts with hardened OS images, firewall rules, and SSH key-only access (no passwords).
  • nginx terminates TLS using Let's Encrypt certificates with automatic renewal.
  • Process supervision runs under PM2 with structured logging and crash recovery.
  • Email delivery uses authenticated SMTP through Google Workspace, with SPF, DKIM, and DMARC enforced on all sending domains.

6. Logging & Audit

  • Authentication events, integration connections, OAuth grants, role changes, and admin actions are recorded in a per-tenant audit log accessible to workspace admins.
  • Application logs include request metadata but redact sensitive headers, tokens, and customer payload bodies.
  • Logs are retained for the period required for security investigation and compliance, then rotated.

7. Vulnerability Management

  • Dependencies are tracked and updated regularly; known-vulnerable packages are patched on a priority basis.
  • Code changes go through review before reaching production. Destructive operations (database deletions, force-pushes) require explicit confirmation.
  • We accept responsible-disclosure reports at security@coppice.ai. Please include reproduction steps and any proof-of-concept needed to validate the issue.

8. Incident Response

If we discover a security incident affecting customer data, our process is:

  • Contain: Revoke compromised credentials, isolate affected systems, and stop the bleeding.
  • Investigate: Determine scope, root cause, and what data was actually exposed (vs. theoretically reachable).
  • Notify: Affected customers are notified directly. Where required by law (GDPR, CCPA, state breach-notification statutes), we notify regulators within the required timeframe.
  • Remediate: Apply the fix, document the lessons, and adjust controls to prevent recurrence.

9. Data Portability & Deletion

  • You can export your tenant data (leads, contacts, files, conversation logs) at any time from the dashboard.
  • Account deletion is processed within 30 days, with the exception of records we are legally required to retain.
  • OAuth tokens granted to Coppice can be revoked from the third-party provider's security settings (e.g. myaccount.google.com/permissions) at any time.

10. Subprocessors

We use a small set of vetted infrastructure and AI providers to deliver the Service. Each subprocessor has a contractual obligation to protect customer data on terms at least as strict as this policy. The current list is available on request to security@coppice.ai.

11. Reporting a Concern

Found a security issue? Want to report suspicious activity on your workspace? Email security@coppice.ai. We take every report seriously and will respond within one business day.

For privacy-specific questions, see the Privacy Policy. For your contractual rights and responsibilities, see the Terms of Service.

12. Changes to This Page

We update this page when we add, change, or remove a security control that customers should know about. Material changes are announced in-app and via email to workspace admins.

© 2026 Coppice · Zhan Capital LLC · Home