Security

COBAN follows a risk-based security program covering access control, infrastructure hardening, secure development, monitoring, incident response, backup and recovery, vendor review, and operational change management.

Controls are reviewed as the product, customer base, data sources, and infrastructure evolve.

COBAN uses authenticated access, role-aware workspace boundaries, least-privilege operating practices, and account or client context separation for production data.

Administrative access is limited to authorized personnel and used for support, maintenance, security, debugging, and customer-authorized operational work.

Users should enable strong passwords, avoid credential sharing, and promptly remove access for staff who no longer need a workspace.

COBAN protects data in transit with encrypted connections where supported. Production databases, object storage, and managed services use provider-supported encryption and access controls.

Secrets, API keys, database credentials, and tokens are stored outside source control and rotated when needed after role changes, service changes, or suspected exposure.

Customer data is logically separated by workspace, account, client, or group identifiers depending on product area and workflow design.

Security-sensitive changes are reviewed before deployment and validated through build, lint, type checks, targeted tests, or manual verification when applicable.

Developers avoid committing secrets, use environment-based configuration, validate inputs for API handlers where patterns exist, and keep changes scoped to reduce regression risk.

COBAN reviews application logs, job outcomes, error traces, authentication events, and operational signals to detect ingestion failures, suspicious access, abnormal usage, and data-quality regressions.

Logs are used for security, debugging, auditability, incident response, and service improvement. Access to logs is restricted based on operational need.

COBAN maintains backup and recovery practices appropriate for production databases and critical configuration. Recovery procedures are designed to reduce data loss and restore service after infrastructure or operational incidents.

Backup retention and restoration timing may vary by environment, provider, customer agreement, and incident type.

Potential incidents are triaged by severity, scope, affected data, customer impact, and containment needs. COBAN works to investigate, contain, remediate, and communicate material incidents promptly.

When a breach notification duty applies, COBAN will notify affected customers without undue delay after confirming relevant facts, subject to law-enforcement, security, and investigation constraints.

Report suspected vulnerabilities to coban.service@cobanvn.com with affected URL, account context if safe, reproduction steps, expected impact, screenshots or logs when safe, and contact details.

Do not access, modify, exfiltrate, or destroy data that is not yours. Do not perform denial-of-service testing, social engineering, spam, or physical attacks.

Customers are responsible for user lifecycle management, role assignment, source permissions, safe handling of exports, client confidentiality, endpoint security, and review of third-party sharing outside COBAN.