Security

Coppice is built for operators handling sensitive business information. Security is a core product requirement, not a bolt-on. This page summarizes our approach to protecting your data.

1. Infrastructure

• Hosting: Production workloads run on hardened VPS instances in geographically separated data centers, with monitored network perimeters.
• Encryption in transit: All traffic is encrypted with TLS 1.2 or higher.
• Encryption at rest: Customer Data is encrypted at rest using industry standard ciphers.
• Backups: Daily encrypted backups with off-site replication and tested restore procedures.

2. Access Control

• Multi-tenant isolation at the database, storage, and application layers.
• Role-based access for internal staff with least-privilege defaults.
• SSH key-based access only to production hosts; no shared passwords.
• All administrative actions are logged and auditable.

3. Authentication

Customer authentication is handled via Google OAuth or password with strong hashing. Sign in with Apple is supported for native iOS clients. We never store third-party OAuth passwords.

4. AI and Data Handling

We route LLM requests through Anthropic and approved providers under enterprise data protection terms. Customer Data is not used to train foundation models without explicit consent. Conversation histories are retained per tenant configuration and may be exported or deleted on request.

5. Incident Response

We maintain a documented incident response process with on-call rotation and post-mortem reviews. We will notify affected customers within 72 hours of confirming a material security incident impacting their data.

6. Vendor Management

Subprocessors are evaluated for security posture before onboarding. The current subprocessor list is available on request to security@coppice.ai.

7. Reporting a Vulnerability

Found a vulnerability? Email security@coppice.ai. We commit to acknowledging reports within 2 business days and to good-faith collaboration with responsible researchers.