CoopAI is a code intelligence platform consisting of a VS Code extension, a backend server (graph, jobs, webhooks, and LLM routing), and optional integrations with code hosts and chat systems. This page describes our security architecture and data handling practices as implemented in the current product.

Architecture

CoopAI uses a zero-clone architecture. Repository metadata, ownership graphs, and change history are indexed on the Coop server via webhooks and background jobs. Developers query this remote graph through the VS Code extension without cloning entire codebases locally for intelligence features.

LLM inference is routed through a dedicated server-side Model Router. Provider API keys are stored in server environment configuration — not in the IDE, not in client-side settings, and not in source control.

Zero-retention LLM routing

Before any code context reaches an LLM provider, CoopAI applies a zero-retention configuration layer:

• System instructions declaring CoopAI code context as enterprise-confidential
• Request headers including x-data-retention-policy, x-use-case, x-enterprise-mode, x-no-training, and x-no-logging
• Body annotations under retention_policy with store_conversation, use_for_training, use_for_fine_tuning, and allow_logging set to false
• Payload sanitization via sanitizeLlmRequestPayload before transmission

No model training

CoopAI does not use your code, prompts, or completions to train models. Inference requests are sent to third-party LLM providers under their commercial API terms, which by default do not use API data for model training:

• Anthropic: Commercial Claude API data is not used for training by default unless explicitly opted in
• OpenAI: Standard inference API data is not used for training by default; abuse-monitoring retention may apply unless zero data retention is contracted
• Google Gemini: Paid API or Vertex AI terms apply; web search, context caching, and session storage features are disabled for zero-retention workloads
• DeepSeek: Blocked for enterprise-confidential routing unless legal approves a DPA with explicit no-training/no-retention terms

Bring Your Own Key (BYOK)

Enterprise customers may route inference through their own provider accounts. In BYOK mode:

• Coop stores only an API key hash and encrypted key material
• Decrypted keys exist only for the duration of the outbound request
• API keys are never written to logs, error reports, or audit payloads
• Audit logs include customer ID, provider, model, timestamp, request ID, status, and status code — retained for 90 days
• Audit logs explicitly exclude API keys, prompts, responses, and raw code context

Authentication

API access to the Coop server uses bearer token authentication (Authorization: Bearer <COOP_API_TOKEN>). In production, a token must be configured; development mode may skip auth when no token is set.

The VS Code extension stores the Coop API token using VS Code's SecretStorage API, which leverages the operating system keychain.

Data in transit and at rest

• All API communication uses HTTPS/TLS
• Webhook payloads from code hosts are validated and processed server-side
• Graph and job data storage depends on deployment configuration (in-memory for development; PostgreSQL supported for production job queues)
• BYOK key material is encrypted at rest

Logging and error handling

CoopAI is designed to exclude sensitive data from logs and crash reports:

• Request bodies, response bodies, API keys, and prompt content are excluded from error logs
• Provider compliance checks run on backend startup
• Configuration changes for BYOK, provider enablement, and policy overrides are logged

Integrations

CoopAI integrates with GitHub, GitLab, and Bitbucket for repository webhooks and metadata. Slack integration may receive webhook events for organizational context. Each integration uses host-specific authentication configured on the server.

Compliance attestation

CoopAI can generate retention reports and signed attestation payloads documenting:

• Percentage of requests sent with zero-retention flags
• Count of BYOK requests
• Provider policy links and verification dates
• Sanitization rules applied before transmission
• Configuration changes in the last 90 days

A zero-retention DPA addendum template is available for enterprise customers undergoing legal review.

Responsible disclosure

If you discover a security vulnerability, please report it to security@coop-ai.dev. We aim to acknowledge reports within 48 hours.

What we do not claim

• SOC 2 Type II or ISO 27001 certification (not yet obtained)
• HIPAA compliance (not assessed for healthcare workloads)
• FedRAMP authorization

We are happy to discuss your security requirements during an enterprise evaluation and provide architecture documentation for your review.