// Trust & Security Report
UAB Ocoya
Ocoya is an AI-powered social media management platform (content creation, scheduling, DM/comment automation, AI agents and workflows) sold in a single product line with tiered plans (Bronze, Silver, Gold, Diamond) for individuals, small teams, and agencies.
Certifications held
1
Maturity
Growth
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on ocoya.com“"Ocoya is a processor acting on behalf of Customer (whether itself a controller or a processor)." The page also incorporates Standard Contractual Clauses for EEA/UK/Swiss transfers via a Data Processing Addendum effective January 1, 2024.”
> Show 8 unconfirmed / not-held certifications
source: ocoya.comno public evidence. The only third-party-audit language found is in the DPA: "Customer acknowledges that Ocoya is regularly audited against SSAE 16 and PCI standards by independent third party auditors and internal auditors respectively." This references SSAE 16 (an attestation standard superseded by SSAE 18 in 2017) and provides no report, badge, auditor name, or date, so it cannot be treated as confirmation of a current SOC 2 report.
source: ocoya.comno public evidence. Not mentioned on the DPA/GDPR page, privacy policy, terms of service, or home page.
source: ocoya.comno public evidence. Not mentioned anywhere on the vendor's legal, privacy, or marketing pages; Ocoya's product (social media scheduling/marketing) is not positioned for healthcare/PHI use cases.
source: ocoya.comThe DPA states "Ocoya is regularly audited against SSAE 16 and PCI standards by independent third party auditors" but no PCI attestation of compliance (AOC), report, or badge is published, and Ocoya does not appear to process cardholder data directly (no named payment processor in the Terms of Service). Treated as unverified boilerplate, not a confirmed cert.
source: ocoya.comno public evidence found on any vendor-domain page.
source: ocoya.comno public evidence. No AI-governance certification is referenced anywhere on the vendor's site despite Ocoya's product being built around AI agents/automation.
source: ocoya.comno public evidence; Ocoya is a EU-based SMB/agency marketing tool, not positioned for US federal/government use.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
Per the DPA: "Ocoya may transfer and process Customer Data to and in the United States and anywhere else in the world where Ocoya, its Affiliates or its Sub-processors maintain data processing operations," with Standard Contractual Clauses applied for EEA/UK/Swiss transfers. Company is EU-based (footer: "Made with in EU" / "Copyright UAB Ocoya", Lithuania).
No explicit statement, in the privacy policy, DPA, or terms of service, on whether Ocoya or its underlying AI providers train models on customer content/data, and no opt-out mechanism is documented. Ocoya's AI features (caption/image generation) likely route through third-party AI providers that are not named in any of the reviewed vendor pages.
// Security controls
Encryption in transit
Not publicly disclosed by Ocoya; the DPA instead places responsibility on the customer: "Customer is responsible for its secure use of the Service, including ... protecting the security of Customer Data when in transit to and from the Service, and taking any appropriate steps to securely encrypt or backup any Customer Data uploaded to the Service."
ocoya.comThird-party/independent audit claim
DPA text claims regular audits against SSAE 16 and PCI standards, but no report, badge, or date is published; treated as unverified.
ocoya.comRole-based access / workspace permissions
Marketing copy references "team member roles" and "multi-level approvals" (internal approval, client approval, share public link) for workspace collaboration; no technical detail on how access control is enforced.
ocoya.comVulnerability disclosure program
A page titled "Vulnerability Disclosure Program" for ocoya.com appears in third-party search indexes referencing reports to support@ocoya.com, but the URL (https://www.ocoya.com/vulnerability) returned HTTP 404 on direct fetch during this review, so an active, current program could not be independently confirmed.
ocoya.comSub-processor management
"Customer agrees that Ocoya may engage Sub-processors to process Customer Data on Customer's behalf," with 10 days' advance notice of changes and a contractual requirement that sub-processors provide at least the same level of data protection.
ocoya.com// Products & data scope
data: 1-5 workspaces, 1-5 users, 5-20 connected social profiles, monthly AI credit allowance
Same underlying platform and legal terms as higher tiers; no separate security posture documented for lower tiers.
data: Up to unlimited workspaces, 20-50 users, 50-150 connected social profiles, client approval workflows and public-link sharing
Adds multi-level approval flows and client-facing sharing links, which widens the practical data-exposure surface (external stakeholders can view shared links), but no additional compliance controls are documented for this tier.
// What to watch
- Over-claim risk: DPA states Ocoya is "regularly audited against SSAE 16 and PCI standards by independent third party auditors" with no report, badge, auditor name, or date published anywhere on the site. SSAE 16 was superseded by SSAE 18 in 2017, which suggests generic/stale template language rather than a current, verifiable audit. Do not list SOC 2 or PCI DSS as held certs based on this line alone.
- No SOC 2, ISO 27001, ISO/IEC 42001, or HIPAA claims found anywhere on the vendor's site; none should be displayed for this listing.
- No dedicated trust/security center; all compliance information is scattered across the Terms, Privacy Policy, and GDPR/DPA legal pages rather than a consolidated security page.
- A "Vulnerability Disclosure Program" page is indexed by search engines (ocoya.com/vulnerability, contact support@ocoya.com) but returned HTTP 404 on direct fetch during this review; could not confirm the program is currently live.
- No public disclosure on whether customer content is used to train AI models (Ocoya's own or third-party providers it relies on for AI generation), and no opt-out is documented.
// At a glance
Pricing model
Tiered SaaS subscription ($15-$159/month, billed monthly or annually with a 20% discount), 7-day free trial, credit-based usage for AI features
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on UAB Ocoya's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
ocoya.com