Enterprise-grade security

    Your customer data is protected with industry-leading security measures.

    How Cockato Protects Your Customer Data

    Security is foundational to how Cockato is built, not an afterthought. Every piece of customer data — names, email addresses, phone numbers, purchase history, and loyalty balances — is encrypted using AES-256 at rest and protected with TLS 1.3 during transmission. This is the same encryption standard used by banks and government agencies to protect sensitive financial data.

    Access to customer data follows the principle of least privilege. Every team member in your organisation gets role-based permissions: owners have full administrative control, admins manage day-to-day loyalty operations, and staff members can only process transactions and look up customers. Every administrative action is recorded in a complete audit trail, so you always know who changed what and when.

    Cockato's infrastructure runs on SOC 2 ready cloud providers with 99.9% uptime guarantees. We maintain compliance with GDPR for European customers, CCPA for Californian customers, and PCI DSS standards for handling payment-adjacent data. Regular penetration testing and vulnerability scanning ensure our defences stay ahead of emerging threats. For businesses with specific compliance requirements, our team is available to discuss our security architecture and provide documentation for your auditors.

    Encryption

    AES-256 encryption at rest, TLS 1.3 in transit for all data.

    Access Control

    Role-based permissions with least-privilege principles.

    Audit Logs

    Complete audit trail of all admin actions and changes.

    Infrastructure

    SOC 2 ready infrastructure with 99.9% uptime SLA.

    Compliance & Certifications

    SOC 2 Type II — In Progress
    GDPR Compliant
    CCPA Compliant
    PCI DSS Compliant

    Your Data Rights

    You retain full ownership of your customer data at all times. Cockato acts as a data processor on your behalf — we never sell, share, or use your customer information for our own marketing purposes. If you ever decide to leave Cockato, you can export your complete customer database, including loyalty balances, transaction history, and contact details, in standard CSV format at any time from your dashboard.

    Customers can request deletion of their personal data in accordance with GDPR and CCPA regulations. When a deletion request is received, all personally identifiable information is permanently removed from our systems within 30 days, including backups. We also provide a Data Processing Agreement (DPA) for businesses that require one for their own compliance obligations.

    For enterprise customers with specific regulatory requirements, we offer dedicated security reviews, custom data residency options, and direct access to our security team. Contact us to request our full security documentation package, including penetration test summaries and infrastructure architecture details.

    Learn more about our GDPR compliance or contact us with questions.