// Trust & Security Report
Cognition Labs
Devin – The AI Software Engineer. Multi-product suite including Devin Cloud (SaaS), Devin Desktop (IDE), Devin Enterprise (self-hosted VPC), Devin Review (code review), and CLI tools. Positioned for code migration, refactoring, and autonomous engineering tasks.
Certifications held
4
Maturity
Growth
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on docs.devin.ai“Cognition has been SOC 2 Type II certified since September 2024. Third-party evaluators assessed all security policies, procedures, internal and third-party controls related to data security, privacy, processing integrity, confidentiality and availability.”
Verify on trust.cognition.ai“Trust Center lists compliance with ISO/IEC 27001:2022 as a standard framework for assessing the security program.”
Verify on devin.ai“DPA explicitly addresses GDPR requirements, stating commitment to compliance with 'the General Data Protection Regulation 2016/679' and use of Standard Contractual Clauses for international data transfers.”
Verify on trust.cognition.ai“Trust Center lists CCPA compliance. Privacy policy states: 'When enabled, we will honor your opt-out preference and stop selling or sharing your personal information for targeted advertising purposes, as required by applicable law.'”
> Show 3 unconfirmed / not-held certifications
source: devin.aiNo public evidence. DPA does not mention HIPAA and focuses on general data protection laws rather than healthcare-specific regulations.
source: trust.cognition.aiNo public evidence found in trust center, security docs, or DPA.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
Not guaranteed. Privacy policy states data may be transferred 'throughout the world, including the EU, UK and the US.' DPA allows transfers outside EEA using Standard Contractual Clauses but does not guarantee data residency in specific regions.
Free/Pro tiers: Cognition states they 'may use User Content to train, fine tune and improve the models that power our Services' depending on applicable service terms. Enterprise tier: 'The organization does not train models on customer data or code by default.' This is a tier-dependent distinction that must be clearly understood at purchase.
// Security controls
Session isolation
Devin operates in ephemeral VMs that are torn down after each session. Code is fetched from customer's git provider and changes pushed back.
docs.devin.aiAccess controls
Access to Cognition's AWS cloud environment granted on need-to-know basis, aligned with business roles. Limited employees/contractors have direct production access.
cognition.comMulti-factor authentication
All employees required to use MFA with annual security training
docs.devin.aiMonitoring and logging
Production systems continuously monitored through logging, error handling, and real-time dashboards tracking live metrics
docs.devin.aiData breach notification
Devin will inform customers without undue delay of any data breach involving customer personal data
devin.aiVulnerability disclosure
Vulnerability disclosure program allows security researchers to report issues to security@cognition.ai
docs.devin.aiSecrets management
Secrets Manager secures sensitive credentials separately from regular data flows
docs.devin.aiAnnual third-party audits
Uses independent third-party auditors to assess security program at least annually against SOC 2 Type II and ISO 27001 frameworks
cognition.com// Products & data scope
data: Code and task context processed in Cognition-managed infrastructure. Free/Pro tiers may be used for model training. Enterprise tier data not used for training.
Primary SaaS offering for autonomous code generation and task execution
data: Code processed locally on developer machine
IDE integration (formerly Windsurf). Data handling depends on connection to Cloud tier.
data: Data saved within customer-controlled VPC environment. Never used for training.
Dedicated deployment within customer's Virtual Private Cloud. Highest data isolation.
data: Code diffs and PR context for review automation
Automated code review, visual QA, and bug identification
data: Task context and output processed through CLI
Command-line interface for integrations and automation
data: Desktop and browser interaction data
Windows VM for visual QA and browser automation tasks
// What to watch
- AI training distinction critical: Free/Pro tiers explicitly allow use of 'User Content to train, fine tune and improve the models' (subject to service terms), while Enterprise tier excludes customer data from training. This is a major procurement differentiator and must be clearly communicated to buyers.
- HIPAA NOT supported: Devin is not HIPAA-compliant and should not be used for regulated healthcare data without explicit vendor commitment. No references to HIPAA in DPA, privacy policy, or security documentation.
- ISO 27001 certification date not publicly disclosed: Trust center lists ISO/IEC 27001:2022 as a framework, but no certification date is provided. Only SOC 2 Type II date (September 2024) is explicit.
- Data residency not guaranteed: Customers requiring data to remain in specific regions (e.g., EU-only) cannot rely on standard Devin offerings without Enterprise/custom arrangement.
- Outdated reference in DPA: DPA mentions 'SOC 2 Type I certification' but current certification is SOC 2 Type II as of Sept 2024. DPA may need updating.
- Data training ambiguity in Free/Pro: 'User Content' definition and what 'applicable service terms' permit is not fully transparent without reading full service agreement.
// At a glance
Pricing model
Subscription-based (Free/Pro/Teams/Enterprise). Free tier available. Enterprise requires custom pricing.
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Cognition Labs's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.cognition.ai