Security at Cognition

All data transmission is encrypted in transit and at rest. Production software is also routinely monitored via logging, error handling and monitoring dashboards of live metrics. Unusual application states (ie. unusually high error rates, slowness, failures) trigger alerts which are quickly investigated by our team.

Access to our cloud environment in AWS is granted on an as-required basis based on business roles and only a small number of employees or contractors are granted direct access to production systems.

All employees and contractors are required to use multi-factor authentication on all main work applications. All employees and contractors also receive annual training about security best practices, including good password management and how to identify social engineering and phishing scams.

Cognition obtained SOC 2 Type II certification and conducted Security Training in March 2024 for all employees at Cognition. As part of the SOC 2 audit, Cognition’s auditors reviewed all of Cognition’s security policies, procedures, internal and third party controls related to data security, privacy, processing integrity, confidentiality and availability.

For more details about our security please visit our Trust Center.

Cognition processes data based on the application Customers use to interact with Devin. Devin can be accessed via web application, Github or Slack integration. For the web application, Cognition only processes data actively provided by the authorized user prompting Devin; for the Github and Slack integrations, the administrator installing the integration can review and manage all permissions granted to Devin.

Cognition uses Customer data to:

• Deliver, maintain and update services provided to the Customer per their configuration and type of Devin access (e.g. web application, Github integration or Slack integration) to make sure the software is up-to-date and operational.
• Troubleshoot, prevent and resolve issues such as product-related issues, software bugs or security incidents to maintain service functionality and reliability.

Cognition only retains data processed through Devin for the duration of the relationship with a given Customer, unless otherwise specified by the Customers.

Any Feedback Data and User Interaction Data are retained as long as needed and as determined by Cognition.

Devin is a collaborative AI teammate that can learn over time to fit into your unique workflow. When you share content and feedback with Devin, Devin can become more reliable at working on your specific projects over time.

If you are a Personal or Team user, we may use your content to train our models. You can opt-out of training by going to Settings > Data Controls in Devin.

If you are an Enterprise customer, we will not train on your data by default. Please refer to the terms in your agreement with Cognition for details.

The output — code, work product, or other — produced by Devin is considered the user’s intellectual property and can be used for the Customer’s commercial purposes, with the exception of using the output to train models that would attempt to reverse engineer and/or build a competing product to Devin.

When setting up the Github integration, users can select which repositories Devin can access, with permissions adjustable through Github’s App Settings during and post-installation.

For more details on the requested permissions and security considerations go to GitHub Integration Guide.

In Slack, Devin doesn’t read, process or store any data in your Slack instance other than the information provided when @Devin is tagged, initially prompted and when any additional information provided within the Slack thread while the session is ongoing.

For more details on the requested permissions and security considerations go to Slack Integration Guide.

While Devin’s performance is improving daily, it can still experience hallucinations, introduce bugs into code, or suggest insecure code or procedures. Like with any coding best practices, we recommend taking the appropriate precautions with the code written by Devin such as code reviews, enabling branch protections to ensure checks are enforced before Devin can merge any changes, and any practices currently adopted in your organization to review engineers’ work.

You may need to provide Devin with credentials and keys such as passwords, API keys, cookies or other for authentication. In all cases we advise users to leverage our Secrets feature under the Settings page to share and store those credentials securely.

We’re still learning and developing Devin to be a great AI software engineer, and our customers’ feedback is crucial for Devin’s development. We strongly encourage sharing feedback and feature requests directly with your Cognition account team or by emailing support@cognition.ai, and reporting incidents by emailing security@cognition.ai.