Security at Cognition
We want Devin to be a core contributor in your organization, and have prioritized security, data privacy and compliance to make it possible
Security
Secure Transmission and Encryption
Secure Transmission and Encryption
All data transmission is encrypted in transit and at rest. Production software is also routinely monitored via logging, error handling and monitoring dashboards of live metrics. Unusual application states (ie. unusually high error rates, slowness, failures) trigger alerts which are quickly investigated by our team.
Access to our cloud environment in AWS is granted on an as-required basis based on business roles and only a small number of employees or contractors are granted direct access to production systems.
General Security Practices
General Security Practices
All employees and contractors are required to use multi-factor authentication on all main work applications. All employees and contractors also receive annual training about security best practices, including good password management and how to identify social engineering and phishing scams.
Third-party audits and certification
Third-party audits and certification
Cognition obtained SOC 2 Type II certification and conducted Security Training in March 2024 for all employees at Cognition. As part of the SOC 2 audit, Cognition’s auditors reviewed all of Cognition’s security policies, procedures, internal and third party controls related to data security, privacy, processing integrity, confidentiality and availability.
For more details about our security please visit our Trust Center.
Vulnerability Disclosure Program
Vulnerability Disclosure Program
If you have identified a potential security issue, we encourage you to share your findings with us. Please send your vulnerability reports to our security team at security@cognition.ai.
Privacy & Intellectual Property
How does Cognition use and process data run through and/or accessed by Devin?
How does Cognition use and process data run through and/or accessed by Devin?
Cognition processes data based on the application Customers use to interact with Devin. Devin can be accessed via web application, Github or Slack integration. For the web application, Cognition only processes data actively provided by the authorized user prompting Devin; for the Github and Slack integrations, the administrator installing the integration can review and manage all permissions granted to Devin.
Cognition uses Customer data to:
- Deliver, maintain and update services provided to the Customer per their configuration and type of Devin access (e.g. web application, Github integration or Slack integration) to make sure the software is up-to-date and operational.
- Troubleshoot, prevent and resolve issues such as product-related issues, software bugs or security incidents to maintain service functionality and reliability.
What data retention policy does Cognition maintain?
What data retention policy does Cognition maintain?
Cognition only retains data processed through Devin for the duration of the relationship with a given Customer, unless otherwise specified by the Customers.
Any Feedback Data and User Interaction Data are retained as long as needed and as determined by Cognition.
How is your data used to improve Devin?
How is your data used to improve Devin?
By default, we do not use any of your data for model training purposes unless you explicitly opt-in in the Data Controls settings page. Devin can still learn to fit into your unique workflow via the Knowledge feature. When you share Knowledge, Devin can become more reliable at working on your specific projects over time.
If you are an Enterprise customer, we will never train on your data. Please refer to the terms in your agreement with Cognition for details.
What are the main IP considerations regarding the output produced by Devin?
What are the main IP considerations regarding the output produced by Devin?
The output — code, work product, or other — produced by Devin is considered the user’s intellectual property and can be used for the Customer’s commercial purposes, with the exception of using the output to train models that would attempt to reverse engineer and/or build a competing product to Devin.
Github Integration Considerations
Github Integration Considerations
When setting up the Github integration, users can select which repositories Devin can access, with permissions adjustable through Github’s App Settings during and post-installation.
For more details on the requested permissions and security considerations go to GitHub Integration Guide.
Slack Integration Considerations
Slack Integration Considerations
In Slack, Devin doesn’t read, process or store any data in your Slack instance other than the information provided when @Devin is tagged, initially prompted and when any additional information provided within the Slack thread while the session is ongoing.
For more details on the requested permissions and security considerations go to Slack Integration Guide.
User Best Practices
Devin Limitations
Devin Limitations
While Devin’s performance is improving daily, it can still experience hallucinations, introduce bugs into code, or suggest insecure code or procedures. Like with any coding best practices, we recommend taking the appropriate precautions with the code written by Devin such as code reviews, enabling branch protections to ensure checks are enforced before Devin can merge any changes, and any practices currently adopted in your organization to review engineers’ work.
Secrets
Secrets
You may need to provide Devin with credentials and keys such as passwords, API keys, cookies or other for authentication. In all cases we advise users to leverage our Secrets feature under the Settings page to share and store those credentials securely.
Share Feedback
Share Feedback