# How does Cosine handle security, privacy, and IP? **Cosine is designed for enterprise-grade security.** Whether deployed in the cloud, inside your VPC, or fully on-premise, Cosine ensures your source code, data, and intellectual property remain protected at all times. *** ### Security foundations #### Data isolation Every customer runs in a dedicated, isolated workspace — no data or context is ever shared between tenants. Each environment has its own storage, model instance, and encryption keys. #### Encryption * **In transit:** All communications use TLS 1.3 encryption. * **At rest:** Repository data, logs, and model artifacts are encrypted using AES-256. #### Access control * Role-based access control (RBAC) with fine-grained permissions. * Single sign-on (SSO) and SCIM support for enterprise identity providers (Okta, Azure AD, Google Workspace). * Full audit logging of user and system activity. #### Network security * Private networking with zero trust principles. * Optional IP allowlisting. * Support for VPN, VPC peering, and private endpoints. *** ### Data privacy and ownership Cosine never trains on customer data. Your **code, tickets, and documentation remain your property** and are never used to improve shared models. * No data is transferred to third-party LLM providers unless explicitly approved. * Customers can request deletion of all stored artifacts at any time. * Enterprise deployments (VPC/on-prem) guarantee **zero egress** of source code. *** ### Compliance and certifications Cosine follows industry-standard security frameworks and is in the process of formal certification: * **SOC 2 Type II** – in audit phase, completion expected 2025. * **ISO/IEC 27001** – in implementation. * Aligns with **GDPR** and **CCPA** for data protection. Cosine is already deployed inside organizations whose standards exceed SOC 2 — including **global investment banks and defense contractors**. *** ### Optional customer controls * **Custom key management (KMS)** – Bring your own encryption keys. * **Data retention policies** – Configurable data lifespan and auto-purge schedules. * **Audit exports** – Stream logs to your SIEM (Splunk, Datadog, etc.) for centralized monitoring. *** ### Why this matters Most AI tools depend on third-party APIs that require data egress. Cosine’s vertically integrated architecture allows you to operate securely inside your own perimeter — even fully air-gapped if needed. *** ### Related pages * [Where does Cosine run?](https://docs.cosine.sh/~/revisions/2qvjWXdaXy4XxF5UDTSm/faqs/security-and-compliance/where-does-cosine-run) * [Is Cosine SOC 2 / ISO 27001 compliant?](https://docs.cosine.sh/~/revisions/2qvjWXdaXy4XxF5UDTSm/faqs/security-and-compliance/is-cosine-soc-2-iso-27001-compliant) * [How does Cosine minimise hallucinations and ensure code quality?](https://docs.cosine.sh/~/revisions/3wphksGA7ynvdsBIb4qA/faqs/technology-and-quality/how-does-cosine-minimise-hallucinations-and-ensure-code-quality) → Next: [Is Cosine SOC 2 / ISO 27001 compliant?](https://docs.cosine.sh/~/revisions/3wphksGA7ynvdsBIb4qA/faqs/security-and-compliance/is-cosine-soc-2-iso-27001-compliant)