Skip to main content
Cofactor
§ Legal · Trust Last reviewed · May 5, 2026

Trust at Cofactor.

Cofactor builds, hosts, and operates software that runs other people's businesses. That means we hold credentials, customer data, and in some cases protected health information. This page is the single source of truth for our compliance posture, what's actually attested today, what's in progress, and how to ask for the documents your procurement team needs.

We don't claim certifications we don't hold. Where a framework is "in progress," the table below says so explicitly, with a target window and the document we can share today.

01 · Certifications & attestations

Current status of each compliance framework Cofactor is working under. Where a framework is in progress, the report or attestation document is not yet issued; we'll update this page when it is.

  • PCI DSS
    SAQ-A · Stripe-hosted card capture
    Target · Q3 2026
    AOC available on request
    In progress
  • SOC 2 Type II
    Security · Availability · Confidentiality
    Type I target · H2 2026 · Type II observation to follow
    Report available under NDA via your account team
    Readiness underway
  • HIPAA
    Business-associate posture · PHI workloads
    BAAs signed per engagement where PHI may flow
    BAA template available on request
    Program documented
  • PIPEDA
    Canadian federal privacy law · provincial overlays
    Privacy Officer named · 30-day access response
    Privacy Officer contact via legal@
    Privacy program documented

We will not publish a certification claim before the report or attestation is issued by the relevant auditor. If you need to verify our status today, email legal@cofactor.consulting.

02 · Sub-processors

We share customer and end-user data only with the categories of recipients below, and only as needed to deliver the service. Each sub-processor is contractually bound to confidentiality and data-protection obligations no less protective than our Privacy Policy.

  • Hosting and edge infrastructure. Cloudflare, Inc. — Workers, edge caching, DNS, WAF.
  • Content management. Directus (self-hosted by Cofactor) for marketing-site content and operational metadata.
  • Email and transactional messaging. Our outbound transactional email provider for account notifications, receipts, and password resets.
  • Payment processing. A PCI-DSS-validated card processor for invoices and subscription billing. Card details are handled by the processor; we receive only tokenized references.
  • Productivity and support tools. Vendors for shared mailboxes, ticketing, calendaring, and code repositories used to operate engagements.
  • Professional advisors. Our accountants, auditors, and counsel, under professional confidentiality obligations.

A current named sub-processor list is available on request to legal@cofactor.consulting. We provide reasonable notice of new sub-processors to active customers before they begin processing customer data.

03 · Security practices

A readable summary of the controls that underpin our SOC 2 readiness. We can provide the formal control matrix on request.

Access & identity

  • Multi-factor authentication required on every production system and code repository.
  • Least-privilege access reviewed quarterly; just-in-time elevation for production change windows.
  • Onboarding and offboarding checklists with provisioning and deprovisioning evidence retained.
  • Background checks at hire for anyone with access to customer data.

Encryption & data protection

  • TLS 1.2+ in transit for every customer-facing endpoint.
  • Encryption at rest for every datastore that holds customer or end-user data.
  • Secrets stored in dedicated vaults; never in source control or environment files committed to repositories.

Change management

  • Code review required for every change merged to production.
  • Changes traced from ticket to pull request to deploy through our internal audit log.
  • Hardened CI/CD: signed artifacts, ephemeral build environments, automated dependency scanning.

Monitoring, IR, and BCP

  • Continuous logging and anomaly detection on edge and origin traffic.
  • 24/7 on-call rotation with documented response targets — see our SLA.
  • Incident Response Plan and Business Continuity / Disaster Recovery Plan reviewed annually and exercised at least once per year.
  • Annual penetration test by an external firm; remediation tracked to closure.

Vulnerability management

  • Weekly dependency scans and monthly infrastructure scans with documented patch SLAs.
  • Coordinated disclosure program — see § 05.

04 · Data handling

We do not sell personal information. We do not "share" personal information for cross-context behavioral advertising. We do not use customer data or end-user personal information to train third-party machine-learning models, and where we use generative AI to deliver client features, we configure the model provider so that customer prompts and outputs are not retained for training.

Data residency. Cofactor is based in the United States; customer data is processed in the U.S. unless your order form specifies otherwise. Where required, we rely on the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or other lawful mechanisms for international transfers.

Full retention schedules and individual rights — including under the Florida Information Protection Act, the California Consumer Privacy Act, the GDPR, the UK GDPR, and PIPEDA — are documented in our Privacy Policy.

05 · Vulnerability disclosure

If you believe you've found a security vulnerability in any Cofactor service or in software we operate on behalf of a client, please report it privately first.

  • Email security@cofactor.consulting with a description, reproduction steps, and any proof-of-concept material.
  • We acknowledge receipt within one business day and provide a triage update within five business days.
  • Please give us a reasonable window to remediate before any public disclosure. We will credit researchers who report responsibly, on request.

We do not currently run a paid bug bounty. We do not pursue legal action against researchers who follow this coordinated-disclosure process in good faith.

06 · Requesting documents

For procurement, audit, or due-diligence requests — including SOC 2 reports under NDA, the PCI Attestation of Compliance, sub-processor lists, the BAA template, our Information Security Policy, or any other compliance artifact — email legal@cofactor.consulting with a brief description of what you need and the engagement context. We respond within one business day.

Contact us