← BackCOBY

Security

Last updated: June 16, 2026

COBY builds a private product brain for your team. We connect to the tools you already use, turn that into structured knowledge, and let your team query it. Keeping that data yours, in the EU, and out of model training is the core of the job, not an afterthought.

The short version

  • Your data is stored in the EU (Supabase on AWS, Paris).
  • You own it. Delete any of it, or all of it, at any time.
  • We never train AI models on your data.
  • Access is least-privilege, with authentication required on every login.
  • Coby is built specifically for you. The exact data flow and retention are set in your agreement.

1. How your data flows

There are two ways we connect, agreed with you up front:

  • Read-only access to a database you designate, or
  • Scoped tokens to your existing tools (for example PostHog), which let our jobs pull only the data we agreed on.

That data goes to our backend on Railway (EU), where it is processed and transformed into the knowledge graph that powers Coby. The graph is stored in our Supabase (Postgres) database in the EU.

Because every Coby build is tailored to one client, the precise sources, scopes, and processing are written into your engagement and Data Processing Agreement. We do not connect anything that is not in that agreement.

2. Where your data lives

  • Database and knowledge graph: Supabase (managed Postgres), hosted on AWS in eu-west-3, Paris. Your data stays in the EU.
  • Backend and processing: Railway, EU region.
  • Cloud providers: AWS (under Supabase) and Google Cloud (under Railway).

Our infrastructure providers are independently audited, so the platform Coby runs on meets a high bar:

  • Supabase: SOC 2 Type 2, ISO 27001, HIPAA-capable.
  • Railway: SOC 2 Type 2, SOC 3.

These audits cover the platforms, not Coby itself. Our own certification path is described in section 8.

3. Encryption

  • In transit: all connections use TLS 1.2+ and HTTPS.
  • At rest: data is encrypted with AES-256, managed by Supabase at the storage layer.

4. Who can access your data

  • Access to production is restricted to a strictly limited set of authorized people, under least-privilege.
  • Administrative access requires multi-factor authentication.
  • No one browses your data in normal operation. Coby reads your data programmatically to build and serve your brain. Human access happens only for support or debugging you request, or where required by law.
  • Access and queries against your data are logged for review.

5. How we store the credentials you give us

  • The tokens you provide are stored in our EU Supabase database, encrypted at rest with AES-256.
  • They are used only by our backend jobs to fetch the data we agreed on. They are never exposed to a browser or shared with any third party.
  • You can revoke any credential at any time. Once revoked, we can no longer fetch from that source.

6. How Coby is reached

Coby is served as a single MCP endpoint over HTTPS with a very small surface, around three operations. Every request is authenticated, and each access token maps to a known owner for accountability. Moving this authentication to the OAuth 2.1 standard is on our near-term roadmap.

7. AI and your data

Coby uses AI in two places. We use OpenAI to compute embeddings, which turn text into vectors for search. Where a build involves reasoning tasks, we use Anthropic through AWS Bedrock.

Your data is not used to train AI models, not by us, and not by our model providers under the business terms we use. You keep all rights to your inputs and outputs.

If you would prefer that no third-party model touched your data, we can run open-source models on EU-hosted GPUs for both embeddings and reasoning.

8. Compliance and roadmap

Coby is delivered hand in hand with each client today, so there is not yet a shared product to certify. Two honest facts:

  • We build on infrastructure that is already certified (Supabase and Railway, see section 2), and we design each engagement to fit your compliance scope, for example your ISO 27001 controls or DORA third-party requirements.
  • As we move from bespoke builds toward a product, formal certification such as SOC 2 is a direction we intend to pursue.

A Data Processing Agreement is available and tailored to your engagement.

9. Your data is yours

  • You own your data. You can request deletion of any part of it, or all of it, at any time, even while you keep using Coby. We action deletion requests within 30 days, and usually sooner.
  • When an engagement ends, we delete your data in full by default.
  • This is also your right under GDPR. We treat it as the default, not a favor.

10. If a breach happens

We keep this written down so we can act fast and you always know where you stand. If a security incident affects your data, we follow these stages:

  1. Detect and assess. We identify the incident, classify its severity, and scope which data and which clients are affected.
  2. Contain. We isolate the affected systems immediately to stop the incident spreading, then begin remediation.
  3. Notify you. We inform affected clients without undue delay and within 48 hours of becoming aware of the incident, with what we know: what happened, what data is involved, the likely impact, and the steps we are taking.
  4. Notify regulators. Where personal data is affected, we notify the CNIL within 72 hours (GDPR Article 33) and inform affected individuals without undue delay where there is a high risk to their rights (GDPR Article 34).
  5. Investigate and remediate. We run a root-cause investigation, fix the underlying issue, and restore normal service.
  6. Post-mortem. We document what happened and what we changed so it cannot recur, and share a summary with affected clients on request.

11. Report a vulnerability

Found a security issue? Email founders@joincoby.com. We will not pursue legal action against good-faith researchers who respect scope and do not access or exfiltrate other clients' data. A formal bug bounty is planned.

12. Sub-processors and contact

We keep a current list of the services that help us run Coby:

Sub-processorPurposeLocation
Supabase (AWS)Database, storage, knowledge graphEU (Paris)
Railway (Google Cloud)Backend processingEU
OpenAIEmbeddingsUS, no-training terms
Anthropic / AWS BedrockReasoningUS, EU region available

Questions about security or privacy: founders@joincoby.com. Our Data Processing Agreement is available on request, and we are glad to complete your security questionnaire.

HOMECONTACTABOUTTERMS AND CONDITIONSPRIVACY POLICYSECURITY
COBY