CopilotZone CopilotZone
Security & Data Handling

CopilotZone Security Practices

This page describes CopilotZone's security posture, data handling approach, and what you should know before submitting training data to the Service.

Quick summary. CopilotZone is designed for small businesses that need practical, audit-ready employee training. We use HTTPS everywhere, role-based access controls, secure session management, regular backups, and controlled hosting infrastructure. We are not a HIPAA-covered entity by default. Do not submit PHI or sensitive personal data unless you have received written confirmation of appropriate data handling arrangements.
Infrastructure & Hosting
  • HTTPS enforced on all connections (HSTS preloaded)
  • Hosted on shared LiteSpeed hosting with perimeter controls
  • Regular automated backups of database and files
  • File permissions locked on public HTML (644) and critical pages
  • Monitoring for unauthorized file changes
Authentication & Access
  • Signed session cookies; CSRF protection on all write operations
  • Authenticator-app MFA required for administrative/high-privilege accounts
  • Role-based access control (learner, admin, HR, system admin)
  • Login rate limiting to defend against brute force
  • Organization-scoped data isolation between customer accounts
  • Audit logs for admin actions and access events
Data Handling
  • Personal data limited to account, training, and billing purposes
  • No selling or sharing of personal data for advertising
  • Data retention follows operational and legal requirements
  • Custom document uploads processed only for training conversion
  • PHI / sensitive regulated data prohibited without signed BAA
Operational Security
  • Incident response procedure for suspected breaches
  • Security contact: hello@copilotzone.com
  • Minimal necessary employee access to production systems
  • File change monitoring with baseline + permission tracking
  • Atomic deploys with pre-deploy integrity verification

What data you should and should not submit

Allowed data. You may submit employee names, work email addresses, job titles, training progress, quiz responses, completion records, administrative actions, and general company documents or SOPs for conversion into training content. This data is used to deliver and track employee training, administer accounts, and produce audit-ready completion reports.
Do not submit PHI or sensitive personal data without a signed BAA. Protected health information (PHI), patient records, treatment data, health insurance information, or similar sensitive regulated data may not be submitted to CopilotZone's platform unless and until you have received written confirmation that appropriate data handling arrangements — including a Business Associate Agreement or equivalent — are in place. Organizations that upload PHI without authorization may bear legal and compliance responsibility for that upload.

If your organization requires HIPAA, PCI DSS, SOC 2, or other specific compliance arrangements, contact us before submitting sensitive content. We will evaluate whether appropriate technical and organizational measures can be established and provide written confirmation of any applicable agreements.

Subprocessors and third-party services

CopilotZone uses the following third-party services in connection with operating the platform:

We do not maintain a formal subprocessor list at this time. Subprocessors are used on an as-needed operational basis. Contact us if you need specific subprocessor disclosures for a vendor security review.

Data residency and geographic availability

Customer data is stored and processed on servers in the United States. CopilotZone currently provides the Service to customers in the United States only.

CopilotZone does not currently offer the Service to customers located in the European Union, European Economic Area, or United Kingdom. If your organization is located outside the United States or requires EU/UK data protection terms, contact us before using the Service or submitting personal data.

Security questionnaires and audits

We recognize that customers — particularly those in regulated industries — may request security documentation as part of their vendor evaluation process. We can provide:

Formal third-party penetration tests, SOC 2 Type II reports, or ISO 27001 certifications are not currently available. Contact us if your procurement or compliance process requires formal attestation — we will work with you to determine what is practical given our current stage.

Incident response

If you become aware of or suspect a security incident, data breach, or unauthorized access involving the CopilotZone platform:

  1. Contact us immediately at hello@copilotzone.com with a description of the suspected incident.
  2. We will acknowledge receipt within one business day and begin investigating.
  3. If a confirmed breach involves personal information, we will notify affected organizations as required by applicable law.
  4. We will provide a post-incident summary describing the scope, actions taken, and remediation steps.

Changes to this security page

This page may be updated to reflect changes in our security practices, infrastructure, or data handling approach. The current version will always be available at copilotzone.com/security.html.

Contact

For security questions, data handling concerns, vendor questionnaire requests, or to discuss specific compliance requirements, contact:

Email: hello@copilotzone.com

We aim to respond to security and compliance inquiries within two business days.