How CoordOS handles security.

CoordOS handles your QuickBooks, Drive, and (with your consent) Gmail through agents that act only on your authorization. Security is structural, not bolted on.

Data residency & ownership

Your customer-facing artifacts (bill extractions, approvals, learnings, reports) live in your Google Drive in your account. If you leave CoordOS, your data stays — you keep the originals, the extractions, the approvals, and the learning history.

Operational state we hold (sessions, cache, search index, approval-queue pointers) sits in Google Firestore in the GCP region you select (default: us-central1; Canadian customers default to northamerica-northeast2 / Toronto; EU customers default to europe-west1 / Belgium).

Audit logs sit in BigQuery, append-only, retained 7 years.

Encryption

• In transit: TLS 1.3 everywhere. No plaintext on the wire.
• At rest: AES-256 at the storage layer. OAuth refresh tokens are additionally encrypted with a per-tenant Customer-Managed Encryption Key (CMEK) in Cloud KMS — each tenant has its own key.
• In use: OAuth refresh tokens never enter our LLM context. Only the Token Broker service can decrypt them; it mints short-lived (≤15 minute) access tokens to the MCP gateway and Write Service.

Access controls

• You: Identity Platform with optional MFA; SSO available on the Business tier.
• CoordOS staff: zero standing production access. Production changes go through PR review and automated deploy. Break-glass access is logged and alerts via PagerDuty.
• Cross-tenant isolation: every Firestore document carries a tenant ID; security rules enforce match. Each tenant runs in its own Cloud Run service with its own service account — a compromised pod can only see its own data.

The approval gate (the structural guarantee)

No write to your QBO, Drive, or Gmail happens without a KMS-signed approval batch:

• Natural-language summary, structured action list, before/after diff, dollar impact, evidence, expiration (≤24h), single-use token.
• The Write Service rejects any batch whose hash doesn't match the signature, whose expiration has passed, or whose user ID is not in your approval policy.

Audit

Every agent action (read, draft, approve, write, share) writes a row to BigQuery: tenant, action, resource, before-hash, after-hash, actor, agent session, timestamp. Daily CSV export to your Drive's _system/audit/ folder for portability. Customer-facing audit endpoint surfaces the full trail at app.coordos.ai/admin/audit.

Compliance posture

• Sub-processors: public list
• SOC 2 Type II: in progress — expected 2027 (Security + Confidentiality TSCs)
• Penetration tests: annual; first test 2026 Q3
• Vulnerability disclosure: policy
• GDPR: Customer DPA at /dpa; EU sub-processors documented
• Privacy: full policy

Incident response

Report security incidents to security@coordos.ai. We commit to:

• Acknowledge within 24 hours
• Investigate and scope within 5 business days
• Notify affected customers within 72 hours of confirmed material incident
• Public root-cause analysis within 14 days for any incident affecting customer data

For severity-1 events (active exploit), use security@coordos.ai with subject starting [CRITICAL].

Threat model summary

Highlights of how the architecture defends against realistic attacks:

• Token isolation: refresh tokens never enter LLM context; redaction middleware fails closed if token-shaped strings appear in prompts.
• Prompt injection: document content treated as untrusted data, never instructions; structured output schemas; spotter pass on every ingested document; approval gate as final hard guarantee.
• Multi-tenant isolation: per-tenant CMEK + service account + Firestore security rules; one tenant compromise cannot reach another.
• Supply chain: SBOM via cosign + Sigstore for every container image; Dependabot for code; container scanning on every deploy.

Contact

• Security incidents: security@coordos.ai
• Privacy questions: privacy@coordos.ai
• General support: support@coordos.ai