All data transmission is encrypted in transit and at rest. Production systems are continuously monitored through logging, error handling, and real-time dashboards tracking live metrics. Alerts are triggered for unusual application states (e.g., high error rates, slow performance, failures) and are promptly investigated by our team.

Access to Cognition’s AWS cloud environment is granted on a need-to-know basis, aligned with business roles. Only a limited number of employees or contractors have direct access to production systems.

All employees and contractors must use multi-factor authentication (MFA) on all primary work applications. Additionally, they undergo annual security training, covering best practices for password management, social engineering awareness, and phishing prevention.

Cognition obtained SOC 2 Type II certification in September 2024. During this audit, third-party reviewers evaluated all security policies, procedures, and internal and external controls related to:

• Data security
• Privacy
• Processing integrity
• Confidentiality
• Availability

For more details, visit our Trust Center.

If you identify a potential security issue, report it to our security team at security@cognition.ai. Cognition will notify Enterprise customers of any security incidents that may impact their environments, following the reporting obligations outlined in customer agreements.

Data processing depends on how customers interact with Devin:

• Web Application: Cognition only processes data actively provided by the authorized user.
• GitHub & Slack Integrations: The administrator installing the integration can review and manage all permissions granted to Devin.

For Enterprise customers with VPC or on-prem deployments, all customer data is stored within the customer’s tenant.

Cognition retains data processed through Devin only for the duration of the customer relationship unless specified otherwise.

• Feedback & User Interaction Data may be retained as needed, as determined by Cognition.

By default, Cognition does not train its models on customer data or code.

For Enterprise customers using VPC or on-prem deployments, all customer data remains within the customer’s tenant. Please refer to your Cognition agreement for further details.

The output generated by Devin—whether code, work product, or other content—is the customer’s intellectual property and may be used for commercial purposes.

However, customers cannot use Devin’s output to train models intended to reverse-engineer or develop a competing product.

When configuring the GitHub integration, users can select which repositories Devin can access. Permissions can be adjusted at any time via GitHub’s App Settings.

For details on permissions and security considerations, visit the GitHub Integration Guide.

Devin only processes data explicitly provided when:

• It is tagged (@Devin)
• It receives a direct prompt
• Additional information is shared in an active Slack thread

For details on security and permissions, visit the Slack Integration Guide.

While Devin improves daily, it may still:

• Generate hallucinations (inaccurate or misleading responses)
• Introduce bugs into code
• Suggest insecure coding practices

To mitigate risks, we strongly recommend:

• Code reviews before deployment
• Branch protections to enforce validation checks
• Following your organization’s standard engineering review processes

If Devin requires credentials (e.g., API keys, passwords, cookies), use Cognition’s Secrets feature under the Settings page to securely share and store sensitive information.

We continuously enhance Devin based on customer feedback.

• For feature requests and suggestions, contact your Cognition account team or email support@cognition.ai.
• To report security incidents, email security@cognition.ai.

Your input is invaluable in refining Devin as an AI software engineer.