// Trust & Security Report

    UAB Ocoya logo

    UAB Ocoya

    Ocoya is an AI-powered social media management platform (content creation, scheduling, DM/comment automation, AI agents and workflows) sold in a single product line with tiered plans (Bronze, Silver, Gold, Diamond) for individuals, small teams, and agencies.

    Certifications held

    1

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    GDPR (compliance posture)
    HELD

    "Ocoya is a processor acting on behalf of Customer (whether itself a controller or a processor)." The page also incorporates Standard Contractual Clauses for EEA/UK/Swiss transfers via a Data Processing Addendum effective January 1, 2024.

    Verify on ocoya.com
    > Show 8 unconfirmed / not-held certifications
    SOC 2 (Type 1/2)
    NOT CONFIRMED

    no public evidence. The only third-party-audit language found is in the DPA: "Customer acknowledges that Ocoya is regularly audited against SSAE 16 and PCI standards by independent third party auditors and internal auditors respectively." This references SSAE 16 (an attestation standard superseded by SSAE 18 in 2017) and provides no report, badge, auditor name, or date, so it cannot be treated as confirmation of a current SOC 2 report.

    source: ocoya.com
    ISO 27001
    NOT CONFIRMED

    no public evidence. Not mentioned on the DPA/GDPR page, privacy policy, terms of service, or home page.

    source: ocoya.com
    HIPAA
    NOT CONFIRMED

    no public evidence. Not mentioned anywhere on the vendor's legal, privacy, or marketing pages; Ocoya's product (social media scheduling/marketing) is not positioned for healthcare/PHI use cases.

    source: ocoya.com
    PCI DSS
    NOT CONFIRMED

    The DPA states "Ocoya is regularly audited against SSAE 16 and PCI standards by independent third party auditors" but no PCI attestation of compliance (AOC), report, or badge is published, and Ocoya does not appear to process cardholder data directly (no named payment processor in the Terms of Service). Treated as unverified boilerplate, not a confirmed cert.

    source: ocoya.com
    ISO 27017 / 27018 / 27701
    NOT CONFIRMED

    no public evidence found on any vendor-domain page.

    source: ocoya.com
    ISO/IEC 42001 (AI management systems)
    NOT CONFIRMED

    no public evidence. No AI-governance certification is referenced anywhere on the vendor's site despite Ocoya's product being built around AI agents/automation.

    source: ocoya.com
    CSA STAR
    NOT CONFIRMED

    no public evidence found.

    source: ocoya.com
    FedRAMP
    NOT CONFIRMED

    no public evidence; Ocoya is a EU-based SMB/agency marketing tool, not positioned for US federal/government use.

    source: ocoya.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Per the DPA: "Ocoya may transfer and process Customer Data to and in the United States and anywhere else in the world where Ocoya, its Affiliates or its Sub-processors maintain data processing operations," with Standard Contractual Clauses applied for EEA/UK/Swiss transfers. Company is EU-based (footer: "Made with in EU" / "Copyright UAB Ocoya", Lithuania).

    No explicit statement, in the privacy policy, DPA, or terms of service, on whether Ocoya or its underlying AI providers train models on customer content/data, and no opt-out mechanism is documented. Ocoya's AI features (caption/image generation) likely route through third-party AI providers that are not named in any of the reviewed vendor pages.

    // Security controls

    Encryption in transit

    Not publicly disclosed by Ocoya; the DPA instead places responsibility on the customer: "Customer is responsible for its secure use of the Service, including ... protecting the security of Customer Data when in transit to and from the Service, and taking any appropriate steps to securely encrypt or backup any Customer Data uploaded to the Service."

    ocoya.com

    Third-party/independent audit claim

    DPA text claims regular audits against SSAE 16 and PCI standards, but no report, badge, or date is published; treated as unverified.

    ocoya.com

    Role-based access / workspace permissions

    Marketing copy references "team member roles" and "multi-level approvals" (internal approval, client approval, share public link) for workspace collaboration; no technical detail on how access control is enforced.

    ocoya.com

    Vulnerability disclosure program

    A page titled "Vulnerability Disclosure Program" for ocoya.com appears in third-party search indexes referencing reports to support@ocoya.com, but the URL (https://www.ocoya.com/vulnerability) returned HTTP 404 on direct fetch during this review, so an active, current program could not be independently confirmed.

    ocoya.com

    Sub-processor management

    "Customer agrees that Ocoya may engage Sub-processors to process Customer Data on Customer's behalf," with 10 days' advance notice of changes and a contractual requirement that sub-processors provide at least the same level of data protection.

    ocoya.com

    // Products & data scope

    Ocoya (Bronze / Silver plans)Individual & small-team social media scheduling

    data: 1-5 workspaces, 1-5 users, 5-20 connected social profiles, monthly AI credit allowance

    Same underlying platform and legal terms as higher tiers; no separate security posture documented for lower tiers.

    Ocoya (Gold / Diamond plans)Agency & larger-team social media management

    data: Up to unlimited workspaces, 20-50 users, 50-150 connected social profiles, client approval workflows and public-link sharing

    Adds multi-level approval flows and client-facing sharing links, which widens the practical data-exposure surface (external stakeholders can view shared links), but no additional compliance controls are documented for this tier.

    // What to watch

    • Over-claim risk: DPA states Ocoya is "regularly audited against SSAE 16 and PCI standards by independent third party auditors" with no report, badge, auditor name, or date published anywhere on the site. SSAE 16 was superseded by SSAE 18 in 2017, which suggests generic/stale template language rather than a current, verifiable audit. Do not list SOC 2 or PCI DSS as held certs based on this line alone.
    • No SOC 2, ISO 27001, ISO/IEC 42001, or HIPAA claims found anywhere on the vendor's site; none should be displayed for this listing.
    • No dedicated trust/security center; all compliance information is scattered across the Terms, Privacy Policy, and GDPR/DPA legal pages rather than a consolidated security page.
    • A "Vulnerability Disclosure Program" page is indexed by search engines (ocoya.com/vulnerability, contact support@ocoya.com) but returned HTTP 404 on direct fetch during this review; could not confirm the program is currently live.
    • No public disclosure on whether customer content is used to train AI models (Ocoya's own or third-party providers it relies on for AI generation), and no opt-out is documented.

    // At a glance

    Pricing model

    Tiered SaaS subscription ($15-$159/month, billed monthly or annually with a 20% discount), 7-day free trial, credit-based usage for AI features

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on UAB Ocoya's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-08. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    ocoya.com

    > Browse all vendor trust reports