Frequently Asked Questions

Below are ten of the most common data privacy and security questions we get asked. If you have any additional questions or concerns about our security practices, please feel free to reach out to our Privacy Manager (privacy@coconutsoftware.com)

All data is encrypted in transit, and at rest using industry standard practices
Staff workstations are also encrypted.

All data is stored in data centers according to the location of the headquarters of the organization.

Example: Data from American organizations is stored in an American data center, while data from Canadian organizations is stored in a Canadian data center.

Please see https://aws.amazon.com/compliance/ for SSAE 16, SOC 1, SOC 2, OWASP, or PIPEDA report for hosted services.
Please see https://aws.amazon.com/security/ for security details related to application hosting environment.
In addition to data center security and network security, AWS data centers provide exceptional operational security and have several certifications that its customers can leverage. Some of them include SOC 1, SOC 2, SOC 3 and ISO 27001. For more details on AWS Compliance, please visit: https://aws.amazon.com/compliance/.

We have a variety of methods and tools in place for intrusion detection, vulnerability monitoring, configuration monitoring, and file integrity monitoring.
We also monitor for downtime, load time, and site responsiveness.

We run full nightly backups along with incremental back-ups multiple times per hour.

Yes, Coconut Software is SOC 2 compliant. We have passed our most recent SOC 2, Type 2 audit with no exceptions.
In addition to data center security and network security, AWS data centers provide exceptional operational security and has several certifications that its customers can leverage. Some of them include SOC 1, SOC 2, SOC 3 and ISO 27001. For more details on AWS Compliance, please visit: https://aws.amazon.com/compliance/.

All Coconut Employees must pass a standard criminal record check prior to employment. They must also sign non-disclosure agreements prior to employment and receiving any proprietary and/or sensitive data. All new staff are shown a privacy and security video as part of the onboarding and training process.
Coconut has monthly privacy and security meetings to review policies and best practices. Coconut holds annual mandatory privacy and security training sessions for all staff.

The Coconut application maintains separate environments for production, development, and demonstration purposes, all hosted on AWS. No live client data is ever used for testing or demonstration purposes.

The only cookies we use are session cookies, which are short-lived and do not contain any personal info. For authenticated users, we use authentication cookies that are fully encrypted.

Detailed incident response plans have been prepared to ensure proper protection of data in an emergency. For more details, please refer to the section above on monitoring procedures.

There have been no security breaches in the last 7 years. In the event of the unexpected however, all breach notifications will be handled according to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA, 2000), as amended by the Digital Privacy Act (DPA, 2015). For European Union clients, all breach notifications will be handled according to the EU’s General Data Protection Regulation Act (GDPR, 2018).
For more information, please visit Coconut Software’s Privacy Notice & Terms of Use.