Security at Codat

Welcome to Codat’s Trust Portal

We take the responsibility of looking after your data very seriously. On this page, you’ll find everything related to Codat’s security, compliance, and privacy policies. Please reach out to your Account Manager if you have any questions.

Compliance

Codat’s Security Compliance program is built and continually improved in line with industry-recognized and SOC2 TSP and ISO27001 standards. We undergo audits every year for both of these. If you’d like to see our latest SOC 2 Type II, just ask your Account Manager.

Application and data security

Attack prevention

To defend against attacks, Codat has a Web Application Firewall in place.

Bug bounty and penetration testing

Codat conducts annual penetration testing and operates a managed private bug bounty program.

Data encryption

When your data is in storage, it is encrypted using Advanced Encryption Standards (AES-256). When on the move, your data is encrypted via industry best practices using Transport Layer Security (TLS 1.2).

User access

Codat employees will not have access to your Codat Portal instance unless you explicitly grant permission. You will retain full control over user access at all times, including privileged administrative rights.

Cloud infrastructure

Shared responsibility model

Codat uses Microsoft Azure’s Platform as a Service (PaaS) offering to provide its products. This means that Azure is responsible for the patching and maintenance of the operating system, in addition to the physical data centers and network security.

Compliance

Azure regularly undergoes independent verification of security, compliance, and privacy controls against both ISO27001 and SOC2 standards, as well as many more. More information on Azure’s security can be found here.

Anti-virus & malware protection

All Codat devices are fully covered by our endpoint detection and response system.

Mobile device management

Devices are fully managed, including patch management, security policies, and other best practices where applicable.

Our people

Employee lifecycle

Codat’s onboarding process involves comprehensive interviewing of candidates, background screening, and a structured onboarding period. Exiting employees have their access to Codat systems terminated within one business day.

Training

All Codat employees undergo security training when they start with us, and then at least annually thereafter. We also conduct regular in-house phishing campaigns and ad hoc training.

We encourage responsible disclosure

If you discover vulnerabilities in our web application, or in our APIs, we ask that you alert our team by completing the form below.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	1 year	This cookies is set by GDPR Cookie Consent WordPress Plugin. The cookie is used to remember the user consent for the cookies under the category "Analytics".
cookielawinfo-checkbox-necessary	1 year	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
viewed_cookie_policy	1 year	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
lpv887333	30 minutes	No description
visitor_id887333	10 years	No description
visitor_id887333-hash	10 years	No description

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gat_gtag_UA_89798244_1	1 minute	Google Analytics cookies are used to collect information about how Visitors use our site. We use the information to compile reports and to help us improve the site. The cookies collect information in an anonymous form, including the number of Visitors to the site, where Visitors have come to the site from, and the pages they visited.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
_hjAbsoluteSessionInProgress	30 minutes	This cookie is used to detect the first pageview session of a user. This is a True/False flag set by the cookie.
_hjFirstSeen	30 minutes	This is set by Hotjar to identify a new user’s first session. It stores a true/false value, indicating whether this was the first time Hotjar saw this user. It is used by Recording filters to identify new user sessions.
_hjid	1 year	This cookie is set by Hotjar. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.
_hjIncludedInPageviewSample	2 minutes	This cookie is set to let Hotjar know whether that visitor is included in the data sampling defined by your site's pageview limit.
_hjTLDTest	session	When the Hotjar script executes we try to determine the most generic cookie path we should use, instead of the page hostname. This is done so that cookies can be shared across subdomains (where applicable). To determine this, we try to store the _hjTLDTest cookie for different URL substring alternatives until it fails. After this check, the cookie is removed.
_lfa	2 years	This cookie is set by the provider Leadfeeder. This cookie is used for identifying the IP address of devices visiting the website. The cookie collects information such as IP addresses, time spent on website and page requests for the visits.This collected information is used for retargeting of multiple users routing from the same IP address.
pardot	past	The cookie is set when the visitor is logged in as a Pardot user.
vuid	2 years	This domain of this cookie is owned by Vimeo. This cookie is used by vimeo to collect tracking information. It sets a unique ID to embed videos to the website.

Compliance

Application and data security

Attack prevention

Bug bounty and penetration testing

Data encryption

User access

Cloud infrastructure

Shared responsibility model

Compliance

Endpoint devices

Anti-virus & malware protection

Mobile device management

Our people

Employee lifecycle

Training

We encourage responsible disclosure