Skip to main content
Skip to content

Security & AI FAQ

Common security, data protection, compliance, authentication, and AI questions for teams building with Coassemble Embed.

Data storage, regions, and encryption

Where is data stored and processed?

By default, all customer data is stored and processed on US-based infrastructure (currently Oregon, USA). This includes course content, uploaded documents, and AI processing.

Can you guarantee data is processed in a specific region?

Yes, on the Controlled Release server (previously called Enterprise) with region locking enabled. Region-Locked Server options are available for the UK and EU. The Standard Release server (previously Production) does not currently offer this guarantee.

What encryption standards are used?

  • Data at rest: AES-256.
  • Data in transit: TLS 1.2.
  • Database: encrypted at rest, with keys managed by our hosting provider.

Environments and server options

Are different environments segregated?

Yes. Production and testing use separate environments and separate databases.

What server options are available?

Your server environment is chosen up front as part of setup and cannot be changed afterwards without starting a new account. The options are:

  • Standard Release server (previously Production): a shared environment that receives platform updates immediately on each release.
  • Controlled Release server (previously Enterprise): a shared environment that receives updates two weeks after the Standard Release server, giving extra preparation time.
  • Region-Locked Server: data processed and stored within a specified region (UK or EU) for data residency or compliance requirements.
  • Dedicated server: a private, single-tenant environment, which can optionally be region-locked.
  • Self-hosting: the application runs in your own infrastructure, subject to commercial approval.

Authentication and cookies

Does the embedded experience use cookies?

No. The Embed flow is cookie-less by design so it works reliably inside iframes, which avoids problems caused by third-party cookie blocking in embedded contexts (for example, when Safari or Chrome treats an iframe as a third party). Coassemble does use cookies for the regular, non-embedded login experience.

How does authentication work in an embedded session?

Authentication uses a short-lived token (JWT) rather than a cookie-based session on Coassemble's domain:

  1. When the embeddable mounts, it holds a JWT in memory.
  2. It uses that JWT for each request to Coassemble's server.
  3. The JWT expires after 3 hours.
  4. A refresh mechanism maintains continuity when the token expires.

Access controls and logging

What internal access controls are in place?

We follow an internal Access Control Policy, available on request. Only authorised engineers have administrative access to production systems.

Are audit logs maintained?

Yes. API calls and data access are logged across our systems.

Compliance and documentation

What certifications do you hold?

A SOC 2 Type 2 certification. Documentation is available via the Coassemble Trust Centre at trust.coassemble.com. Our hosting infrastructure (via Render) sits on providers that maintain SOC 2 Type 2 and ISO 27001 certifications.

Are you GDPR compliant, and do you have a DPA?

Yes to both. Our standard Data Processing Agreement (DPA) is available and includes provisions covering data processing for AI-driven features.

Can you provide audit reports or security assessments?

Yes, on request.

Data retention and deletion

How long is uploaded data retained?

Indefinitely by default, unless deletion is requested.

How do I delete data?

Use the Embed API to delete courses through the available endpoint. Any UI to trigger deletion is built into your own integration. Opt-out processes are usually implemented on your side, and the course deletion endpoint supports those workflows.

Backups, incidents, and monitoring

What backups are in place?

Point-in-time recovery, allowing restoration to any point within the last 7 days.

What is your incident response plan?

We maintain an Incident Response Plan and a Business Continuity and Disaster Recovery Plan, both available on request.

How do you detect security and availability issues?

We use Vanta for continuous monitoring of data security and privacy controls, BetterStack for real-time system and model availability monitoring, and Segment to detect unusual usage patterns.

Privacy and PII

Does Embed require me to pass PII?

No. The Embed API does not require you to pass any PII to identify users, and we recommend sharing only anonymous identifiers with Coassemble.

What data is collected when documents are uploaded?

Uploaded documents are converted into a format the language model can process, and only document content (not PII) is sent to the model. When you use a feature like Transform a document, the uploaded file is securely stored in object storage.

AI processing

Which AI providers and models do you use?

Coassemble integrates with Google's AI services: Gemini Flash for text generation (course generation, document transformation, text refinement, translation), Gemini 2.5 Flash Image for AI-generated images, and Chirp for AI narration voices.

Is customer data used to train AI models?

No. Customer content, prompts, and uploaded documents are never used to train the underlying models.

Who owns AI-generated content?

You do. The customer retains full ownership of all content created in Coassemble, whether AI-generated or manually authored.

Are there token or file size limits for uploads?

There are no strict token limits. The models support a 1 million-token context window, and large documents (100 pages or more) can be uploaded, though the resulting content will be heavily summarised. The main guidance is pedagogical: keep courses under 25 screens.

What guardrails exist against AI hallucinations?

The system includes guardrails to keep generated content aligned with training and learning objectives. All language models can still hallucinate, so full factual accuracy cannot be guaranteed. AI generation gets you 80 to 90% of the way to a complete course, with a human review pass recommended to finalise it.

What happens if an AI provider has issues or changes?

We monitor model availability via BetterStack and use operational controls to maintain reliability. In some configurations Coassemble uses routing infrastructure such as OpenRouter to improve availability and manage failover. If we change AI providers, all customers are notified in advance, and partners on the Controlled Release server receive an additional 2 to 4 weeks notice.

Subprocessors and infrastructure

Where are your subprocessors listed?

Our subprocessor list is available via the Coassemble Trust Centre at trust.coassemble.com. We vet subprocessors by reviewing vendor documentation and relying on published certifications and security assurances.

Who hosts the infrastructure, and how are denial-of-service attacks handled?

We use Render as our hosting provider. Render handles physical security, and the underlying infrastructure providers maintain SOC 2 Type 2 and ISO 27001 certifications. We rely on Render's built-in protections, and our infrastructure auto-scales to absorb high-load or denial-of-service traffic.

Do you conduct penetration testing?

Yes, an annual penetration test covering the platform broadly.

This article is maintained in our help centre. View the original ↗