Skip to Content

Security Policy

Last Updated: March 24, 2026

TocoAI is committed to protecting your code, inputs, and generated outputs. We treat security as a core principle in our product design.

Core Commitments

  • Your inputs (requirement descriptions, prompts, existing code snippets) and outputs (generated domain models, backend code, flowcharts, etc.) are never used to train or improve any AI models.
  • In default mode, we do not store your inputs or outputs. They are used only temporarily during request processing and are immediately discarded afterward (zero-retention policy).
  • All infrastructure and data processing are primarily conducted in AWS, Google Cloud, and Azure data centers in the United States to ensure high performance and availability.

Infrastructure and Data Location

  • Our core services run in U.S. regions.
  • We support data residency options. If you require data to be stored in the Asia-Pacific or European Union regions, please contact us at contact@tocoai.dev to discuss feasible solutions.

AI Request and Content Processing

  • Inputs and outputs are fully isolated during processing and are not shared across users.
  • We have signed zero-data-retention agreements with our LLM providers, ensuring your content is not retained for training or any other purposes.
  • All generation requests are transmitted through secure API channels using TLS 1.3 encryption.

Security Measures

  • Encryption: TLS 1.3 for data in transit and AES-256 for data at rest.
  • Access Control: Strict least-privilege principle (IAM roles) with multi-factor authentication (MFA) required for all internal access.
  • Logging and Monitoring: All critical operations are logged, with real-time monitoring for anomalous behavior.
  • Vulnerability Management: Regular automated vulnerability scanning, annual third-party penetration testing, and critical vulnerabilities are patched within 7 days.
  • Incident Response: We maintain a detailed incident response plan. Affected users will be notified of significant security incidents within 72 hours.

Certifications and Compliance

We rely on the enterprise-grade certifications of AWS, Google Cloud, and Azure, including:

  • SOC 2 Type II
  • ISO 27001 / 27017 / 27018
  • Other relevant international standards

We are actively pursuing our own SOC 2 Type II certification and will update this policy once it is obtained.

Vulnerability Reporting and Contact

If you discover a security vulnerability or have any security-related questions, please email us at:

Email: contact@tocoai.dev

We commit to responding to security incident reports within 72 hours and will publicly disclose material incidents when necessary.

Account Deletion

You may request deletion of your account at any time by contacting us. Once your account is deleted, your personal data and content will be completely removed within a reasonable timeframe (backup copies will be retained for a maximum of 90 days).

We continuously monitor and improve our security practices. Any material changes to this policy will be announced on our website or notified via email.

TocoAI Security Team