// Trust & Security Report

    Cognition Labs logo

    Cognition Labs

    Devin – The AI Software Engineer. Multi-product suite including Devin Cloud (SaaS), Devin Desktop (IDE), Devin Enterprise (self-hosted VPC), Devin Review (code review), and CLI tools. Positioned for code migration, refactoring, and autonomous engineering tasks.

    Certifications held

    4

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Cognition has been SOC 2 Type II certified since September 2024. Third-party evaluators assessed all security policies, procedures, internal and third-party controls related to data security, privacy, processing integrity, confidentiality and availability.

    Verify on docs.devin.ai
    ISO/IEC 27001:2022
    HELD

    Trust Center lists compliance with ISO/IEC 27001:2022 as a standard framework for assessing the security program.

    Verify on trust.cognition.ai
    GDPR
    HELD

    DPA explicitly addresses GDPR requirements, stating commitment to compliance with 'the General Data Protection Regulation 2016/679' and use of Standard Contractual Clauses for international data transfers.

    Verify on devin.ai
    CCPA/CPRA
    HELD

    Trust Center lists CCPA compliance. Privacy policy states: 'When enabled, we will honor your opt-out preference and stop selling or sharing your personal information for targeted advertising purposes, as required by applicable law.'

    Verify on trust.cognition.ai
    > Show 3 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    No public evidence. DPA does not mention HIPAA and focuses on general data protection laws rather than healthcare-specific regulations.

    source: devin.ai
    PCI DSS
    NOT CONFIRMED

    No public evidence found in trust center, security docs, or DPA.

    source: trust.cognition.ai
    FedRAMP
    NOT CONFIRMED

    No public evidence found.

    source: trust.cognition.ai

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Not guaranteed. Privacy policy states data may be transferred 'throughout the world, including the EU, UK and the US.' DPA allows transfers outside EEA using Standard Contractual Clauses but does not guarantee data residency in specific regions.

    Free/Pro tiers: Cognition states they 'may use User Content to train, fine tune and improve the models that power our Services' depending on applicable service terms. Enterprise tier: 'The organization does not train models on customer data or code by default.' This is a tier-dependent distinction that must be clearly understood at purchase.

    // Security controls

    Encryption in transit

    All data transmission encrypted in transit

    docs.devin.ai

    Encryption at rest

    All data encrypted at rest

    docs.devin.ai

    Session isolation

    Devin operates in ephemeral VMs that are torn down after each session. Code is fetched from customer's git provider and changes pushed back.

    docs.devin.ai

    Access controls

    Access to Cognition's AWS cloud environment granted on need-to-know basis, aligned with business roles. Limited employees/contractors have direct production access.

    cognition.com

    Multi-factor authentication

    All employees required to use MFA with annual security training

    docs.devin.ai

    Monitoring and logging

    Production systems continuously monitored through logging, error handling, and real-time dashboards tracking live metrics

    docs.devin.ai

    Data breach notification

    Devin will inform customers without undue delay of any data breach involving customer personal data

    devin.ai

    Vulnerability disclosure

    Vulnerability disclosure program allows security researchers to report issues to security@cognition.ai

    docs.devin.ai

    Secrets management

    Secrets Manager secures sensitive credentials separately from regular data flows

    docs.devin.ai

    Annual third-party audits

    Uses independent third-party auditors to assess security program at least annually against SOC 2 Type II and ISO 27001 frameworks

    cognition.com

    // Products & data scope

    Devin CloudSaaS

    data: Code and task context processed in Cognition-managed infrastructure. Free/Pro tiers may be used for model training. Enterprise tier data not used for training.

    Primary SaaS offering for autonomous code generation and task execution

    Devin DesktopIDE

    data: Code processed locally on developer machine

    IDE integration (formerly Windsurf). Data handling depends on connection to Cloud tier.

    Devin EnterpriseSelf-hosted / VPC

    data: Data saved within customer-controlled VPC environment. Never used for training.

    Dedicated deployment within customer's Virtual Private Cloud. Highest data isolation.

    Devin ReviewCode Review

    data: Code diffs and PR context for review automation

    Automated code review, visual QA, and bug identification

    Devin CLICommand-line tool

    data: Task context and output processed through CLI

    Command-line interface for integrations and automation

    Devin Windows VMDesktop automation

    data: Desktop and browser interaction data

    Windows VM for visual QA and browser automation tasks

    // What to watch

    • AI training distinction critical: Free/Pro tiers explicitly allow use of 'User Content to train, fine tune and improve the models' (subject to service terms), while Enterprise tier excludes customer data from training. This is a major procurement differentiator and must be clearly communicated to buyers.
    • HIPAA NOT supported: Devin is not HIPAA-compliant and should not be used for regulated healthcare data without explicit vendor commitment. No references to HIPAA in DPA, privacy policy, or security documentation.
    • ISO 27001 certification date not publicly disclosed: Trust center lists ISO/IEC 27001:2022 as a framework, but no certification date is provided. Only SOC 2 Type II date (September 2024) is explicit.
    • Data residency not guaranteed: Customers requiring data to remain in specific regions (e.g., EU-only) cannot rely on standard Devin offerings without Enterprise/custom arrangement.
    • Outdated reference in DPA: DPA mentions 'SOC 2 Type I certification' but current certification is SOC 2 Type II as of Sept 2024. DPA may need updating.
    • Data training ambiguity in Free/Pro: 'User Content' definition and what 'applicable service terms' permit is not fully transparent without reading full service agreement.

    // At a glance

    Pricing model

    Subscription-based (Free/Pro/Teams/Enterprise). Free tier available. Enterprise requires custom pricing.

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Cognition Labs's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.cognition.ai

    > Browse all vendor trust reports