Security Overview
Last updated: January 21, 2026
At Coplay, we understand that security is paramount when working with your code, assets, and project data. This page provides an overview of our security practices, data handling, and compliance measures.
Data Encryption
In Transit
All data transmitted between your Unity Editor and Coplay servers is encrypted using TLS 1.2 or higher. This includes:
- API requests and responses
- Authentication tokens
- Uploaded assets and files
- AI prompts and generated content
At Rest
Customer data stored in our systems is encrypted using AES-256 or equivalent industry-standard encryption:
- Database records
- Uploaded files and assets
- Backup data
- Log files containing customer information
Access Controls
We implement strict access controls to protect your data:
- Role-Based Access: Internal access to operational data is role-based and follows the principle of least privilege
- Audit Logging: All access to customer data is logged for accountability and incident investigation
- Multi-Factor Authentication: Required for all Coplay employees accessing production systems
- Regular Access Reviews: Periodic reviews of access permissions to ensure appropriateness
Data Residency
Where Your Data Lives
| Data Type | Location | Provider |
|---|---|---|
| Application Data | US West (us-west-1) | Supabase |
| Backend Processing | US Central (us-central1) | Google Cloud Platform |
| Database Backups | US West (same region) | Supabase |
| Analytics Data | United States | Google BigQuery |
No China Processing
We confirm that Coplay-controlled customer data is not stored or processed in China, and is not accessible from China by Coplay personnel or our subprocessors. This includes:
- No data centers or servers in China
- No subprocessors with China-based operations accessing customer data
- No support personnel accessing customer data from China
If you choose to use China-based models via OpenRouter, your data may be processed in China as described below.
For our complete list of data processors, see our Subprocessor List.
AI Provider Security
AI Provider Training Policies
Our primary AI provider partners (OpenAI, Anthropic, Google, and others) operate under API terms of service that prohibit them from using customer data submitted through their APIs for model training.
Coplay's Training Policy
- Non-Enterprise Users (Free & Professional): Coplay reserves the right to use your prompts, code, and content to train and improve our AI models. If you do not want your data used for training, you must upgrade to an Enterprise plan.
- Enterprise Users: Your data is never used for training. This is the only tier with a no-training guarantee.
See our Privacy Policy for full details.
Data Flow
When you use Coplay's AI features:
-
Unity Plugin: Your prompts are sent through Coplay's backend servers, which route them to the appropriate AI provider. This allows us to:
- Track usage and costs
- Filter failed calls (you're not charged for errors)
- Provide consistent error handling
- Maintain audit logs
-
BYOK (Bring Your Own Key): When using your own API keys with the Unity plugin, requests still pass through Coplay's infrastructure for feature support. For our upcoming Electron application, BYOK requests are sent directly to providers.
Provider Retention
AI providers may temporarily retain data (typically 30 days or less) for:
- Abuse monitoring and safety
- Service quality assurance
- Compliance requirements
This retention is solely for operational purposes and does not include model training.
OpenRouter and China-Based Models
When using OpenRouter, some models (such as DeepSeek and Qwen) are provided by China-based companies. Selecting these models will route your data to servers in China, which is outside our "No China Processing" commitment.
Organizations with policies restricting data transfer to China should avoid selecting DeepSeek, Qwen, or other China-based models. See our Subprocessor List for details.
Incident Response
Our Commitment
Coplay maintains documented incident response procedures to address security incidents promptly:
- Detection: Continuous monitoring for security anomalies
- Response: Immediate investigation and containment
- Notification: Affected users notified within 72 hours of confirmed breach
- Remediation: Root cause analysis and preventive measures
Breach Notification
In the event of a confirmed data breach:
- Users notified via email within 72 hours
- Notification includes nature of breach, data affected, and remediation steps
- Enterprise customers receive notifications to designated security contacts
- Regulatory authorities notified as required by law
See our Terms of Service for complete breach notification details.
Compliance and Certifications
Our Infrastructure Providers
We partner with industry-leading providers who maintain rigorous compliance certifications:
| Provider | Certifications |
|---|---|
| Google Cloud Platform | SOC 1/2/3, ISO 27001, ISO 27017, ISO 27018, PCI DSS, HIPAA, FedRAMP |
| Supabase | SOC 2 Type II, HIPAA (available) |
| Stripe | PCI DSS Level 1 |
| OpenAI | SOC 2 Type II |
| Anthropic | SOC 2 Type II |
Data Protection
- GDPR: We support GDPR compliance requirements for EU users
- CCPA: We support CCPA requirements for California residents
- Data Processing Agreements: Available for enterprise customers
Enterprise Security Features
Enterprise customers have access to additional security features:
- Custom VPC Installation: Deploy Coplay within your own cloud infrastructure
- Air-Gapped Deployments: Fully isolated installations for sensitive environments
- SSO Integration: Single sign-on with your identity provider
- Custom Data Retention: Configure retention policies to meet your requirements
- Dedicated Support: Priority security support and incident response
- Security Questionnaire: Completed responses available upon request
Responsible Disclosure
If you discover a security vulnerability in Coplay, please report it responsibly:
- Email: security@coplay.dev
- Include detailed steps to reproduce the issue
- Allow reasonable time for us to address the issue before public disclosure
We appreciate the security research community's efforts to help keep Coplay secure.
Questions?
For security-related questions or to request additional documentation:
- General Inquiries: support@coplay.dev
- Security Team: security@coplay.dev
- Enterprise Security: Contact your account representative
We're committed to transparency about our security practices. If you need information not covered here, please reach out.