Security & Trust

Security

Secure Transmission and Encryption

All data transmission is encrypted in transit and at rest. Production systems are continuously monitored through logging, error handling, and real-time dashboards tracking live metrics. Alerts are triggered for unusual application states (e.g., high error rates, slow performance, failures) and are promptly investigated by our team.

Access to Cognition’s AWS cloud environment is granted on a need-to-know basis, aligned with business roles. Only a limited number of employees or contractors have direct access to production systems.

General Security Practices

All employees and contractors must use multi-factor authentication (MFA) on all primary work applications. Additionally, they undergo annual security training, covering best practices for password management, social engineering awareness, and phishing prevention.

Third-Party Audits and Certification

Cognition obtained SOC 2 Type II certification in September 2024. During this audit, third-party reviewers evaluated all security policies, procedures, and internal and external controls related to:

  • Data security
  • Privacy
  • Processing integrity
  • Confidentiality
  • Availability

For more details, visit our Trust Center.

Vulnerability Disclosure Program

If you identify a potential security issue, report it to our security team at security@cognition.ai. Cognition will notify Enterprise customers of any security incidents that may impact their environments, following the reporting obligations outlined in customer agreements.

Privacy & Intellectual Property

How does Cognition process data accessed by Devin?

Data processing depends on how customers interact with Devin:

  • Web Application: Cognition only processes data actively provided by the authorized user.
  • GitHub & Slack Integrations: The administrator installing the integration can review and manage all permissions granted to Devin.

For Enterprise customers with VPC or on-prem deployments, all customer data is stored within the customer’s tenant.

What is Cognition’s data retention policy?

Cognition retains data processed through Devin only for the duration of the customer relationship unless specified otherwise.

  • Feedback & User Interaction Data may be retained as needed, as determined by Cognition.

How is customer data used to improve Devin?

By default, Cognition does not train its models on customer data or code.

For Enterprise customers using VPC or on-prem deployments, all customer data remains within the customer’s tenant. Please refer to your Cognition agreement for further details.

What are the intellectual property (IP) rights for Devin’s output?

The output generated by Devin—whether code, work product, or other content—is the customer’s intellectual property and may be used for commercial purposes.

However, customers cannot use Devin’s output to train models intended to reverse-engineer or develop a competing product.

GitHub Integration Considerations

When configuring the GitHub integration, users can select which repositories Devin can access. Permissions can be adjusted at any time via GitHub’s App Settings.

For details on permissions and security considerations, visit the GitHub Integration Guide.

Slack Integration Considerations

Devin only processes data explicitly provided when:

  • It is tagged (@Devin)
  • It receives a direct prompt
  • Additional information is shared in an active Slack thread

For details on security and permissions, visit the Slack Integration Guide.

User Best Practices

Devin’s Limitations

While Devin improves daily, it may still:

  • Generate hallucinations (inaccurate or misleading responses)
  • Introduce bugs into code
  • Suggest insecure coding practices

To mitigate risks, we strongly recommend:

  • Code reviews before deployment
  • Branch protections to enforce validation checks
  • Following your organization’s standard engineering review processes

Handling Secrets

If Devin requires credentials (e.g., API keys, passwords, cookies), use Cognition’s Secrets feature under the Settings page to securely share and store sensitive information.

Sharing Feedback

We continuously enhance Devin based on customer feedback.

Your input is invaluable in refining Devin as an AI software engineer.